Update 2017-10-31: Apple fixes the KRACK issue with software updates
Today, Apple released security updates for macOS El Capitan, Sierra, and High Sierra that includes a fix for the KRACK WPA2 bug, as well as updates to iOS, watchOS, and tvOS. See the App Store and Software Update for the latest updates from Apple.
The latest big internet security threat has opened up a “crack” in the WPA2 wireless security protocol.
WPA2 (Wireless Protected Access version 2) is the most common encryption protocol used when connecting to Wi-Fi networks, and was assumed to be secure until this recent disclosure. Computer and device manufacturers are now working to patch this vulnerability.
What is KRACK?
KRACK stands for Key Reinstallation Attack. It exposes a fundamental flaw in the way many Wi-Fi systems operate. This flaw in WPA2 makes it possible for attackers to eavesdrop on your data when connected to an unpatched Wi-Fi network. This data could include sensitive information such as passwords, emails, photos, and banking information, if not handled securely.
An attacker who is within range of your Wi-Fi network (or has planted a rogue device on your network) can intercept traffic between your device and your router when using HTTP or HTTPS. in the case of HTTPS, the data will still be encrypted, but unencrypted (HTTP) data can be easily read.
Many devices on networks don’t use encryption as they depend the WPA2 encryption — which is what makes this attack potentially serious. This includes IoT (internet of things) devices like wireless security cameras, thermostats, etc.
If you are using a hosted FileMaker Pro app, make sure that your FileMaker Server is properly configured with a custom SSL certificate, and displays the green “lock” icon to ensure your data is not vulnerable to interception.
If you have a WordPress website or any other site that has a login and does not use HTTPS, get that fixed immediately to ensure your login could not be compromised.
When using public Wi-Fi, you should ideally be using a VPN like Encrypt.me (or similar) to keep your traffic secure — but it’s now essential as there is no way to easily determine if your local coffee shop’s network is secure or not.
Which devices are affected?
Everything from wireless access points, routers, smart phones, iPads and computers can be affected. In addition, wireless IOT (Internet of Things) devices are vulnerable as well – devices such as wireless security cameras, door locks, garage door openers, smart switches/lights, and the like. Basically, if it has Wi-Fi support, it may be vulnerable.
Linux based devices like Android phones/tables and micro computers all use a common vulnerable Wi-Fi library and are likely affected.
What about Apple devices?
Apple is actively working on patches, and says that these patches should be coming out soon. They announced that they have already patched the vulnerability in the betas for iOS, tvOS, watchOS and macOS. These betas are currently available to developers, but they should go out to consumers soon. It has been confirmed that iOS 11.1 includes a fix, and a Mac OS fix is likely coming out soon as well.
For those using an Apple Airport router, according to iMore’s Rene Ritchie: “…it’s my understanding that Apple’s AirPorts, including Express, Extreme, and Time Capsule don’t seem be vulnerable to the exploit…” (article linked below).
What can I do about it?
- Use Ethernet (wired) as much as possible until devices are patched
- Use a VPN when not on Ethernet or a known secure network
- Update all wireless devices you own or manage with the latest security patches or firmware updates
- Make sure you are using HTTPS when transmitting any sensitive information over the web (as always, but now more important than ever)
- Contact your router manufacturer or Wi-Fi access point manufacturer to see if any patches are available
- Update firmware on any Internet of Things devices if updates are available
- Update your iPhone to iOS 11.1 when it is released
- Update your Mac when any security updates are released
- Official KRACK attack site – Marty Vanhoef
- CNet – How Companies are Responding
- MacRumors – Apple’s Response
- AppleInsider – Apple Confirms Patch
- iMore – Wi-Fi exploit already fixed in iOS, macOS, tvOS, watchOS betas – Rene Ritchie
Also published on Medium.