What’s All the Fuss About? Krack
Tech companies are scrambling to fix a Wi-fi flaw that affects everyone
What is it?
A very serious security flaw spottedpotted in the WPA2 Wi-fi protocol thatat lets hackers break the encryption between routers and devices. This enables ables them to intercept internet traffic, ffic, and inject malware into non-secure websites. It’s a hacker’s dream.
Remind me - what’s WPA2?
Standing for Wi-fi Protected Access II, it’s a form of security that protects wireless computer networks. It was developed by non-profit organisation nisation Wi-fi Alliance, and was madede available in 2004. Its complex encryption ion technique makes it much harderrder to crack than the first WPA.
But it’s not infallible?
Clearly not. Belgian researchershers Mathy Vanhoef and Frank Piessens discovered Krack (or Key Reinstallation Attack) last year, but waited until this Octobertober to go public, launching a website ( www. krackattacks.com) along withth a logo (see main image). They showed howow the flaw allows hackers to interfere with the ‘handshake’ between computers and routers when they connect.
Wait - my computer shakes hands with my router?
In technical parlance, yes - it’s an exchange of information that checks you have the right password to join the network. The devices then create a session key to encrypt information sent between them. But Krack lets a hacker decrypt this data. They wouldn’t even need to connect to the network, only monitor the information being sent. They could also mimic your router, so everything you send goes through their equipment, and read what’s saved on any storage devices attached to your computer.
So it’s a serious flaw?
Very, because it exists in a protocol used by billions of devices worldwide – anything that connects via Wi-fi. Flaws in individual programs or websites typically affect fewer people. So why did the researchers wait before exposing the flaw? To give manufacturers time to fix it. They told hardware and software developers before going public. Full marks goes to Microsoft, which released a fix for Windwindows 7, 8.1 and 10 computers as part of an update in early October. To check you received it open Settings (press Windows key+i) and seleselect ‘Update & security’, Windows Update, then ‘Update history’. Check for updates numbered between KB4041600 and KB4042900, and an insinstallation date between early to mmid-october.
What abo about Apple and Android de devices?
Their fixes cacame a few weeks later. Apple built one into IOS 11.1, the first update to ththe new version of its mobile operating sysystem. More problematic is Google’s Anandroid because there are so many dedevices running it, which are made by diffdifferent manufacturers, some using older versions of the operating system. Vanhvanhoef called Krack “exceptional exceptionally devastating” for Android.
So what sh should I do if I use Android?
If it’s a Googgoogle device (for example, Pixel or Nexus), you should be fine, because the company released updates in early November. But on devices made by other manufacturers, such as Samsung, LG and Oneplus, you’ll have to check for updates by tapping Settings, then ‘About device’ and ‘Download updates manually’. However, it may take some time for these to arrive.
What about my router?
You’ll need to update this if devices other than a PC, phone or laptop connect to it. To see if your router manufacturer has updated its firmware with a fix, check the list compiled by the Computer Emergency Readiness Team (CERT), part of the US government’s Department of Homeland Security: www.snipca.com/26194. Click ‘Affected’ next to the manufacturer’s name for the latest information (see screenshot left).