A serious weakness in Wi-Fi security was made public earlier today. The Key Reinstallation Attack (KRACK) can break Wi-Fi encryption, opening your data up to eavesdropping. This, combined with issues in Linux and Android, make it possible for attackers to change websites you view. This is a serious problem for Wi-Fi Protected Access 2 (WPA2), a protocol used in millions of networks worldwide.
Luckily, the use of Transport Layer Security (TLS) is on the rise. Mozilla’s data shows that over 60% of pages loaded in Firefox use TLS. More and more companies are using encryption for all traffic and removing the ability to connect to unencrypted versions of their sites. When connecting to these sites, KRACK isn’t as big of a deal, because the data is encrypted before it’s sent across Wi-Fi. Even if WPA2 is broken, the data is still secure.
Unfortunately there are still millions of sites that don’t provide this security. Their users are vulnerable to eavesdropping, fake content, malware injection, and more. We need more companies and operators to use TLS and HTTP Strict Transport Security (HSTS) to mitigate the potential impact of KRACK.
Internet traffic exists in layers, which makes it possible to use more than one kind of encryption to build defense-in-depth. When a problem is found in one layer, we can lean on the other layers to provide security. So, while encryption is fundamentally important, multiple layers of encryption are necessary to provide robust online security over time.
We expect to see software updates in the coming days to address the issues with WPA2. Sadly, given the widespread use of Wi-Fi, and how rarely many hardware devices are updated, KRACK is going to be a problem for a long time to come.
The need for an easy way to update Internet of Things devices is on the agenda at the next Internet Engineering Task Force (IETF) meeting. We need to develop new and more widely-supported solutions to the need for Internet-connected devices of all kinds to be easily updated. KRACK will certainly not be the last widespread vulnerability of this kind.
What You Can Do
1. Update Your WiFi Devices. Check to see if your connected devices have updates. In some cases, this may require figuring out how you login to or administer those devices. If no updates are available, look at the vendor’s website (or contact the vendor) to find out when an update will be available. Note that you may need to keep checking over the days and weeks ahead.
2. Check How Well Your Website Supports TLS. If you operate a website, test it (also here) to see if it has the best possible level of TLS support. Make whatever updates you can to support TLS and HSTS.
3. Use a VPN On WiFi Networks – Whenever you connect to a WiFi network, use a virtual private network (VPN). This will add another layer of encryption to ensure an attacker cannot see your traffic.
4. Encourage vendors to support the Online Trust Alliance (OTA) IoT Trust Framework. In embracing this framework, vendors agree to provide patching and support capability in their devices.
Image credit: Matt Artz on Unsplash