How do you protect your Wi-Fi devices from KRACK’s Wi-Fi flaw? originally appeared on Quora – the place to gain and share knowledge, empowering people to learn from others and better understand the world.
Answer by Zouhair Belkoura, CEO & Co-Founder, Keepsafe Software, on Quora:
With the KRACK vulnerability publicized this week , anyone who uses a Wi-Fi-enabled device may be at risk for sharing unencrypted traffic with potential attackers who bypass WPA2 network security. The WPA2 security protocol is used by routers and devices to encrypt people’s activity. Attackers who want to exploit the newly revealed weakness could steal sensitive data passing over the network including passwords, credit card numbers, chat messages, emails, photos, spicy memes, and the list goes on.
A key way to protect yourself is using a VPN. Since a virtual private network creates a tunnel that encrypts your personal information and browsing activity, anyone using a reputable VPN is safe from a Krack Attack. However, the key word here is reputable.
A VPN also safeguards against having your personal information hacked when you use public Wi-Fi hotspots. VPNs can help you circumvent being tracked by your Internet Service Provider, your IT department at work, and even government surveillance.
Choosing a VPN can be complicated and risky. This is why it’s critical to trust your VPN provider, pay for the service and verify that your VPN doesn’t keep logs. Here’s more information about factors you should consider when selecting a VPN to protect your privacy and keep you safe from potential hacks.
1. Use a VPN that you trust.
Technically VPN providers could access your browsing activity since they create the encrypted tunnel and proxies that shield your personal data. Social proof isn’t a leading indicator for a service that works well and is trustworthy. You can’t verify a VPN is effective and reputable going on customer reviews and ratings alone. Make sure that the VPN provider you use is one with a track record and company mandate for protecting people’s privacy. A trusted VPN provider should be straightforward about its offering.
2. Pay for your VPN.
When you pay for VPN, you lower the chances of falling victim to a sketchy VPN service run by a company with the wrong motivations. A paid service has limited incentive to track and sell your profile to third parties or worse, steal your personal information. If a company is offering free VPN, you are their business model! Free VPN providers are often reselling customer data to third parties. If your privacy and security are important to you, they are worth paying for! A stand-up VPN company should have an easy-to-understand business model and clearly state what it gets in return for allowing you to use its service.
3. Confirm your VPN doesn’t keep logs.
Your privacy’s preservation depends on whether your VPN provider keeps logs of your Internet activity. In short, they shouldn’t. Without logs, a VPN provider can’t collect, sell or expose your browsing activity because it doesn’t exist anywhere! Check that your VPN provider has no logs and your privacy is assured before you sign up to use the service.
* Note that if you’re using a VPN on your mobile device and want your activity to be anonymous, you must reset your Advertising Identifier in iPhones and the Advertising ID in Android (both use a technology akin to cookies to help advertisers monitor mobile activity). You can do this in both platforms’ Setting menus.
4. Opt for a simple, auto-connecting VPN.
VPNs can get complicated and technical quickly. If you can’t easily turn on your VPN to protect your Internet connection, it won’t be convenient enough to use to secure your personal data. A VPN that auto-connects when you join an unfamiliar network makes it even easier to stay protected, because you never need to remember to turn it on. Remember, a VPN is only effective at protecting you if you actually use it. Choose a solution that’s easy to set up and turn on so you can get back to the business of being yourself.
5. Go with a fast, convenient mobile VPN.
You may be accustomed to using a VPN on your computer at work, but you can also protect the privacy of personal data and Internet activity (and even mask your location) on your primary device — your phone with a mobile VPN app.
A great VPN is fast and never slows you down. The service you choose should be virtually unnoticeable when it’s connected. You also shouldn’t have to sweat how much bandwidth you’re using or adding additional devices to your plan.
Using a VPN is a smart way to protect your device from emerging vulnerabilities like the KRACK attack and when you join a public Wi-Fi or cellular network. VPNs need not be exclusively for the technically savvy. They should be accessible to anyone and everyone who cares about privacy and wants to stay in control, not fall victim to a breach.
The best VPN for privacy is made by a provider you trust, that doesn’t keep logs and is a service you pay for. An offering that’s easy-to-use, foolproof and convenient will guarantee that you actually use the VPN once you find one that meets your standards. You shouldn’t have to worry about remembering to turn your VPN on, adding multiple devices to your account or how much bandwidth you’re using.
This question originally appeared on Quora – the place to gain and share knowledge, empowering people to learn from others and better understand the world. You can follow Quora on Twitter, Facebook, and Google+. More questions:
Krack is a security vulnerability recently discovered by Security Researcher – Mathy Vanhoef . This security vulnerability can potentially compromise billions of users on Wi-Fi network using the WPA and WPA2 protocol. Today’s article will shed light on KRACK in great detail and offer tips on how to protect yourself against this latest security vulnerability.
KRACK, which stands for Key Reinstallation Attack, is the latest security flaw that left billions of devices exposed to hackers, giving them complete access to the user’s network traffic. This vulnerability is not just another type of weakness in cybersecurity, as the vulnerability exists in the Wi-Fi network itself and not because of any flaw in the product or technical implementations.
The extent of its massive impact still remains to be known in the coming weeks, with Internet of things (IoT) devices identified as the most vulnerable of them all. This is because IoT manufacturers often neglect to adopt security standards and/or update their systems, leading more unpatched IoT devices exposed to security vulnerabilities.
How does KRACK Work?
Any devices based on iOS, Android, macOS, Windows, and Linux are likely to be vulnerable to this attack, just as long as it is connected to Wi-Fi . So how does it work? It starts with the hacker setting up a Wi-Fi network identical to the SSID assigned to a wireless network used by a specific user.
Once the hacker detects that the user tries to connect to either wireless networks, it will intercept the network by sending special packets that divert the device to another network where they can decrypt the traffic–paving a way for malicious activities to take place.
The hacker does not need to connect to the wireless network at all. They only need to snoop on the decrypted data transmitted through Wi-Fi, regardless if it’s protected by a password. Essentially, this vulnerability does not try to break the WI-Fi password. Instead, it changes the encryption key to decrypt the network traffic, allowing it access to the user’s data like credit card numbers, emails, and password.
Luckily, KRACK is not as simple to implement, since hackers need to be within the Wi-Fi network range. You can’t perform it remotely, unlike with previous security vulnerabilities like Heartbleed. Therefore, reducing the risk of an average person to be a likely target of KRACK.
How to Protect Yourself from KRACK?
Most of the devices running on iOs, Android, Windows, and Linux have already started issuing new security patches. Make sure that you keep your devices always up-to-date. Here are other tips to keep your data from KRACK:
A Virtual Private Network adds another layer of security, which works like a concealed tunnel that encrypts data transmitted from your device. Huge corporations generally use VPNs as a method to secure communication when connecting remotely to their data centers.
More and more individual users are increasingly adopting it especially when accessing WIFI from an insecure environment (coffee shop, airport or hotel Wi-Fi). It uses a combination of encryption protocols and dedicated connections to create a P2P connection. So, even if someone was able to funnel some of the data, they still can’t access them due to encryption.
Check for HTTPS
See if the website you’re browsing from has a green lock icon on the address bar. This indicates that the website runs on HTTPS (a secure HTTP version), a protocol used to transmit data between the browser and the website. It indicates that the connection is secure.
It combines ordinary HTTP and SSL (Secure Socket Layer) and/or TSL protocol. Both SSL and TSL runs an asymmetric Public Key Infrastructure System that allows the identification and distribution of public encryption keys. SSL encrypts the data exchanged between computers and servers, making it hard for hackers to intercept.
Keep devices always updated
Check if your device has firmware updates and make sure to install them as soon as it’s available. While products and technology may continue to evolve, they are still far from perfect. More often than not, there will be some loopholes in the software system. It’s just a matter of time before third parties can discover and exploit them.
Tech giants like Google and Apple will often ask their employees to hack into their system with a goal to uncover and resolve any flaws that malicious hackers can use to their advantage. Even if a mobile app may not offer any new features besides bug fixes, it’s still worth the update as this prevents your device from being hacked in the future.
Stay Safe with HTTPS
Here at Vodien, we go beyond just hoping for the best. We take every security threat with utmost priority and ensure that our customers are well-informed and secure against any security vulnerabilities such as KRACK.
With our Thawte-certified SSL Certificate , your website is protected with up to 256-data encryption at the root level from data spoofing, phishing, and other malicious activities. Protect your visitors against the next cyber attack before it’s too late. Click on the link to know how SSL can benefit your website and boost customer trust and confidence.
KRACK attack made the WPA2 connection vulnerable. And now we must take measures to guarantee our Wi-Fi network security. Therefore, today we explain everything you need to know about the KRACK attack and how to become a Wi-Fi Protector. Prevent you or your friends from hackers attacks!
Keep your Wi-Fi Protected after KRACK Attack
Only a few days ago came to light a series of security vulnerabilities in Wi-Fi networks known as KRACK, acronym in English for key re-installation. The WPA2 security protocol, used to protect the vast majority of wireless connections, is “hacked”. In this way, compromising the security of Wi-Fi network traffic and exposing the personal information.
The weakness, identified by the researcher Mathy Vanhoef, could affect 41% of the devices that work with an Android operating system. So that, with the emergence of these new threats, cyber criminals could take advantage of security vulnerabilities in wireless networks. This to intercept access credentials, credit card information, emails or personal information.
How does KRACK Attack Work?
First, when a device connects to a Wi-Fi network with WPA2, the first step for communication is to negotiate with the router a key that will use to encrypt the traffic sent between them. This key is not the key of the Wi-Fi network, but a random one, which is negotiated for each session.
To agree on this encryption key, the devices perform the “4 way handshake”. Thus, they confirm through messages that both have the encryption key.
The problem is that the WPA2 protocol does not verify that the key is different from the ones that were already used. Therefore, the system uses the same key more than once, and this is the vulnerability.
How to protect your Wi-Fi against KRACK attack?
Keep the IP address hidden: KRACK attack is vulnerable to this.
In an increasingly connected world, users need to feel protection. Not in vain, once a cyber criminal hacks a wireless networks, the possibilities of “hacking” are practically endless. But how can users protect themselves from these attacks and connect to the network securely?
McAfee advises users to keep their IP address hidden while connecting to public or open Wi-Fi networks. This will allow both their location and their information (bank details, passwords, credentials, etc.) to remain secure.
Update devices the key against KRACK attack
The company also emphasizes the importance of updating the devices. Users should make sure to install security updates on their devices. In this way, they can avoid, as much as possible, any vulnerability in the systems.
Update the router “firmware”
The router is the most important element to protect the wireless network. However, this update depends, to a large extent, on the speed with which device manufacturers and software developers generate a patch.
Therefore, from McAfee they emphasize that it is advisable to consult the website of the manufacturer of the corresponding device. This is good to know the details and the status of the patch to protect itself from KRACK attack.
Use a private virtual network, it will be useful against KRACK attack
It is also convenient to use VPN networks to avoid KRACK attack. If the user needs to connect to a public network, he can use a virtual private network (VPN). A VPN will keep the information private and make sure that the data goes directly from the device to where it is connected. It is essential to install security on the devices.
Having a complete security solution can help keep the devices away from viruses and other “malware“. Also, VPN devices are so secure and they update the system every day!
The appearance of this new vulnerability in Wi-Fi networks using WPA2 security encryption reinforces the idea that cybercriminals are increasingly creative and use more attack methods to try to attack systems. Therefore, and as they point out from the company, users must be ready to counteract these threats and ensure the security of all their devices.
Now you know all about the KRACK attack and how to avoid it. If you like learning more about IT security, you can visit this article. You can also visit the homepage to read about new content of interest. Do not forget to follow us on social networks and share this information so that more people will know. See you soon!
Every Wi-Fi network using WPA or WPA2 encryption is vulnerable to a key reinstallation attack. Here are some more details and means of protection.
October 16, 2017
Most vulnerabilities go unnoticed by the majority of the world’s population even if they affect several million people. But this news, published today, is probably even bigger than the recently disclosed Yahoo breach and affects several billion people all over the world: Researchers have found a bunch of vulnerabilities that make all Wi-Fi networks insecure.
A paper published today describes how virtually any Wi-Fi network that relies on WPA or WPA2 encryption can be compromised. And with WPA being the standard for modern Wi-Fi, that means pretty much every Wi-Fi network in the world is vulnerable.
The research is quite complicated, so we won’t go through it in detail and will just briefly highlight the main findings.
How KRACK works
Researchers have found out that devices based on Android, iOS, Linux, macOS, Windows, and some other operating systems are vulnerable to some variation of this attack, and that means almost any device can be compromised. They called this type of attack a key reinstallation attack, or KRACK for short.
In particular, they describe how an attack on Android 6 devices works. To execute it, the attacker has to set up a Wi-Fi network with the same name (SSID) as that of an existing network and target a specific user. When the attacker detects that the user is about to connect to the original network, they can send special packets that make the device switch to another channel and connect to the fake network with the same name.
After that, using a flaw in the implementation of the encryption protocols they can change the encryption key the user was using to a string of zeroes and thus access all of the information that the user uploads or downloads.
One may argue that there’s another layer of security — the encrypted connection to a site, e.g., SSL or HTTPS. However, a simple utility called SSLstrip set up on the fake access point is enough to force the browser to communicate with unencrypted, HTTP versions of websites instead of encrypted, HTTPS versions, in cases where encryption is not correctly implemented on a site (and that is true for quite a lot of websites, including some very big ones).
So, by using this utility in their fake network, the attacker can access the users’ logins and passwords in plain text, which basically means stealing them.
What can you do to secure your data?
The fact that almost every device in almost every Wi-Fi network is vulnerable to KRACK sounds quite scary, but — like pretty much any other type of attack — this one is not the end of the world. Here are a couple of tips on how to stay safe from KRACK attacks in case anyone decides to use them against you.
- Always check to make sure there’s a green lock icon in the address bar of your browser. That lock indicates that an HTTPS (encrypted and therefore secure) connection to this particular website is being used. If someone attempts to use SSLstrip against you, the browser will be forced to use HTTP versions of websites, and the lock will disappear. If the lock is in place, your connection is still secure.
- The researchers warned some network appliance manufacturers (including the Wi-Fi Alliance, which is responsible for standardizing the protocols) in advance of releasing their paper, so most of them have to be in the process of issuing firmware updates that can fix the issue with key reinstallation. So check if there are fresh firmware updates for your devices and install them as soon as possible.
- You can secure your connection using a VPN, which adds another layer of encryption to the data transferred from your device. You can read more on what a VPN is and how to choose one, or grab Kaspersky Secure Connection right away.
The latest news about Internet security and privacy.
Posted by BulletVPN on 23 10 2017.
A couple of days ago, Belgium-based security researcher Mathy Vanhoef disclosed a serious flaw in Wi-Fi’s WPA2 security protocol. This was called the KRACK vulnerability, which is short for Key Reinstallation Attack. Through this, the four-way authentication process between a network and a device can be targeted to enter a previously protected cyberspace. Since most of the devices and routers are dependent on WPA2 to encrypt Wi-Fi traffic, the vulnerability is suspected to affect almost every one with a Wi-Fi connection.
What is KRACK Wi-Fi Vulnerability and How to Protect Yourself
What Can KRACK Vulnerability do?
Through the vulnerability, security defaulters can intercept the traffic between your router and your device. Essentially, this will enable the attackers to read any unencrypted data. Another aspect the attackers can manage is to inject bugs into the websites you are looking at and infect your system with a ransomware.
However, there is also a lot of false information circulating around what the vulnerability can achieve, so let’s clear the air regarding some of these. The vulnerability cannot decipher passwords. Furthermore, if your web traffic is being securely channelized by the use of HTTPS, the attackers can’t touch that data either. Another thing that can’t happen is tracing unencrypted traffic from a distant location.
Similar to sharing a Wi-Fi network at a public place, the attackers need to be in the vicinity of your network to harm your computer. This fact alone reduces the possibility of being vulnerable to sudden attacks by a great measure. To that end, people at crowded areas or places with huge public Wi-Fis like airports should be on their guard. It will be wise to not connect to a public Wi-Fi at all for a while.
But, the attackers can still deploy packet injection to interfere with your connection and disrupt or block you out of certain network services and protocols. And accessing unencrypted traffic does mean that sensitive information like credit card numbers and social security codes are at a risk of being stolen.
For the people who have already started hyperventilating at the thought of their network getting broken into, please remember that the vulnerability was exposed by a security provider and not a hacker. Miscreants would have also learned about KRACK along with the rest of the world, and would take some time to act on the loophole.
The entire premise of the security vulnerability is the theoretical possibility of a breach and how one can safeguard their devices before they can intercepted. The idea is also for companies to release patches against such a sophisticated vulnerability before it can be scaled to a full-fledged attack in the near future.
What Can You Do to Protect Yourself
There are several things that you can do at your end instead of waiting for patches and living in perpetual fear.
Use a VPN
For extra privacy and security whenever you go online, you should always connect to a VPN server first. VPN service providers such as BulletVPN have become an essential tool for protecting users from various threats while browsing the web.
The first on the list is to update all your devices that work on Wi-Fi or have ever been connected to a wireless network, since according to Vanhoef, “implementations can be patched in a backwards-compatible manner.” This means that updated and secured networks will still be able to communicate with un-patched hardware.
This is, of course, if your devices are not already set on auto-update which is just a lousy and careless practice.
The second step is to update your router’s firmware, since that is where all the trouble is originating from. This can be done by following its user guide to connect to admin pages and browsing the administration panel. Notably, some router companies like Aruba, FortiNet, and Microtik have already released fixes as well.
Use Ethernet or Mobile Data
Until a full proof patch is not made available, you can use an Ethernet cable to reroute your web traffic. The paranoid souls can switch off Wi-Fi on their routers as well as their devices to be doubly sure. If a wired Ethernet connection is not possible, other options include surfing the internet through your mobile data or a mobile hotspot. However, this might not be a feasible option in case you are not receiving a high-speed network.
Fair warning to Android users, you have slightly more reasons to worry. The Android devices running the operating system 6.0 are at a higher risk of vulnerability.
Depend on HTTPS
Browse the Internet only on encrypted HTTPS access – do not be careless and sloppy like Hillary and Debbie Schultz who obviously are either clueless or dirty or both but this is another topic. This will further help you mitigate any impending risk, in case you absolutely have to hop on to a public Wi-Fi network.
You can also download a browser extension called ‘HTTPS Everywhere’ that lets you on secure internet traffic whenever there is an opportunity. If a website offers encrypted access, the extension automatically directs your browser towards it. The plug-in can be useful in times of such distress and works on web browsers like Chrome, Firefox, and Opera.
If you thought your protected Wi-Fi was safe, think again. Nearly all devices are affected by the new KRACK exploit.
Solid advice for setting up a new wireless router or Wi-Fi network in your home is to password-protect it. Set a secure password using Wi-Fi Protected Access 2 (WPA2) and only share it with those you trust.
Since the WPA2 standard became available in 2004, this was the recommended setup for wireless area networks everywhere — and it was thought to be relatively secure. That said, like the deadbolt on your house, password protection is really only a strong deterrent. Like most things, as secure as WPA2 was believed to be, it was only ever as strong as your password or any vulnerabilities discovered in its security.
Over the weekend, a vulnerability was indeed discovered and turned the internet on its head.
A proof-of-concept exploit called KRACK (which stands for Key Reinstallation Attack) was unveiled. The ominously named crypto attack exploits a flaw in the four-way handshake process between a user’s device trying to connect and a Wi-Fi network. It allows an attacker unauthorized access to the network without the password, effectively opening up the possibility of exposing credit card information, personal passwords, messages, emails and practically any other data on your device.
The even more terrifying bit? Practically any implementation of a WPA2 network is affected by this vulnerability, and it’s not the access point that’s vulnerable. Instead, KRACK targets the devices you use to connect to the wireless network.
The website demonstrating the proof-of-concept states, “Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys and others are all affected by some variant of the attacks.” That said, most current versions of Windows and and iOS devices are not as susceptible to attacks, thanks to how Microsoft and Apple implemented the WPA2 standard. Linux and Android-based devices are more vulnerable to KRACK.
Editor’s note: Originally published Oct. 16, 2017, this article has been updated to include new vendors with security patches for the WPA2 exploit.
What you can do
So what can you do right now?
Keep using the WPA2 protocol for your networks. It still the most secure option available for most wireless networks.
Update all your devices and operating systems to the latest versions. The most effective thing you can do is check for updates for all of your electronics and make sure they stay updated. Users are at the mercy of manufacturers and their ability to update existing products. Microsoft, for example, has already released a security update to patch the vulnerability. Google said in a statement that it “will be patching any affected devices in the coming weeks.” Patches for Linux’s hostapd and WPA Supplicant are also available.
Changing your passwords won’t help. It never hurts to create more secure password, but this attack circumvents the password altogether, so it won’t help.
Know that a KRACK is mostly a local vulnerability — attackers need to be within range of a wireless network. That doesn’t mean your home network is totally impervious to an attack, but the odds of a widespread attack are low due to the way the attack works. You’re more likely to run into this attack on a public network. For more, read our FAQ on KRACK .
Available updates so far
The good news is that with such a dangerous vulnerability, companies have been quick to patch their software. Here’s a list of all the companies that have released security patches or information so far:
- Apple has already created a patch for the exploit in betas for iOS, MacOS, WatchOS and TVOS.
- Aruba has patches available for download for ArubaOS, Aruba Instant, Clarity Engine and other software.
- Cisco has already released patches for the exploit for some devices, but is currently investigating whether more need to be updated.
- Expressif Systems released software fixes for its chipsets, starting with ESP-IDF, ESP8266 and ESP32.
- Fortinet says FortiAP 5.6.1 is no longer vulnerable to the exploit, but version 5.4.3 may still be.
- FreeBSD Project is currently working on a patch.
- Google will be patching affected devices in the coming weeks .
- HostAP has released a software fix for the exploit.
- Intel released an advisory as well as updates for affected devices.
- LEDE/OpenWRT now has a patch available for download.
- Linux already has software fixes and Debian builds can already be updated, as well as Ubuntu and Gentoo.
- Netgear has updated some of its routers. You can check for and download updates here.
- Microsoft released a Windows update on Oct. 10 that patched the exploit .
- MicroTikRouterOS version 6.93.3, 6.40.4 and 6.41rc are not affected by the exploit.
- OpenBSD access points are unaffected, but a patch for clients has been released.
- Ubiquiti Networksreleased a firmware update, version 220.127.116.1137, to patch the vulnerability.
- Wi-Fi Alliancenow requires testing for the vulnerability and provides a detection tool for Wi-Fi Alliance members.
- WatchGuardreleased patches for Fireware OS, WatchGuard access points and WatchGuard Wi-Fi Cloud.
A list of vendors that have patched the vulnerability can be found on the CERT website, though the site appears to be under heavy traffic.
More important KRACK facts
Fortunately, there are a few comforting thoughts:
- The Wi-Fi Alliance stated it now “requires testing for this vulnerability within our global certification lab network,” which is promising for for any new devices headed to shelves. It’s also providing a vulnerability detection tool for Wi-Fi Alliance members to test their products with.
- Using a virtual private network ( VPN ) will encrypt all your internet traffic and could protect you from such an attack. Not to mention, it’s good practice to use a VPN if you care about your online privacy or security anyway.
- Strictly using sites that use HTTPS can help protect you against KRACK, but HTTPS isn’t totally impervious either.
This is a developing story. Check back for additional tips as we have them.
WPA2 security flaw puts almost every Wi-Fi device at risk of hijack, eavesdropping (ZDNet): KRACK is a total breakdown of the WPA2 security protocol.
Here is every patch for KRACK Wi-Fi attack available right now (ZDNet): Vendors are reacting swiftly to an exploit that lets attackers eavesdrop on your network traffic.
By Marshall Honorof 17 October 2017
Some manufacturers have already released patches for software and hardware affected by the KRACK Wi-Fi vulnerability.
KRACK is one of the more insidious router vulnerabilities to crop up lately. You can read more about it in our full report, but briefly: An attacker within physical range of a Wi-Fi network could create a rogue “copy” of the network to fool vulnerable devices and gather all their information.
It’s a clever flaw that bypasses most of the safeguards that keep wireless routers and connected devices protected.
There are two pieces of good news, however. The first is that the flaw was discovered by a security researcher, and there’s no evidence that it’s ever been exploited in the wild. The second is that major companies have known about the flaw for months, and some of them have already released patches for affected software and hardware. ZDNet took a stab at a comprehensive list, and Tom’s Guide has contacted a few additional manufacturers to see how they’re coming along.
MORE: Best Wi-Fi Routers
First, take a deep breath: Your computer is probably OK. Both Apple and Microsoft have released patches to address the issue. As long as you keep your system updated regularly, you won’t have to worry about your computer falling prey to the rogue networks. Newer builds of Linux are also in good shape, but to be fair, Linux is hardly a hotbed of attacks to begin with.
Your smartphone may be a different story. While iOS is fully secured, newer versions of Android are not yet. Since every smartphone manufacturer and wireless carrier uses a slightly different version of the Android OS, it’s difficult to say when your device will be patched, if ever. Google is currently “aware of the issue,” according to ZDNet, but it’s hard to say what steps the company will take next. Your best bet would be to use mobile data whenever possible instead of Wi-Fi, unless you’re at home or the office. (Unless you’ve made some very dire enemies, the attack is really only useful in public, highly trafficked Wi-Fi locations.)
Surprisingly, only a handful of router manufacturers have taken proactive steps to address the flaw. Arris is “evaluating” its options, ZDNet reported, but hasn’t actually released any patches. Cisco has confirmed that many of its products are vulnerable, and has released patches for some of them — but not others. If you have a Cisco system, keep it updated, and hope that your device is one of the safe ones. Netgear has likewise updated some of its devices, but others are still vulnerable, and may be for some time.
Tom’s Guide contacted D-Link, Linksys and TP-Link to see if those companies have released patches yet, or are planning to soon. The responses we’ve received are below.
“Belkin International (Belkin, Linksys, and Wemo) is aware of the WPA vulnerability. Our security teams are verifying details and we will advise accordingly. Also know that we are committed to putting the customer first and are planning to post instructions on our security advisory page on what customers can do to update their products, if and when required.”
“On Oct. 16, 2017, a WPA2 wireless protocol vulnerability was reported. D-Link immediately took actions to investigate the issues. This appears to be an industry-wide issue that will require firmware patches to be provided from the relevant semiconductor chipset manufacturers. D-Link has requested assistance from the chipset manufacturers. As soon as patches are received and validated from the chipset manufacturers, D-Link will post updates on its website support.dlink.com immediately. “
The fact is that there will probably never be complete protection against KRACK among routers and mobile operating systems, simply because the market is so enormous and fractured. The best you can do is avoid public Wi-Fi whenever possible (even if it’s secured with a password), use mobile data if you can and keep the firmware updated on your own router at home. If the flaw starts becoming common in the wild, other manufacturers will (probably) step up their patching game; if not, you can’t fall prey to a hack that no one is using.
UPDATE: US-CERT has a long list of vendors sorted according to whether they’ve updated the KRACK flaws in their products. Windows Central has a similar, but shorter, list of router makers that have issued patches.
FragAttacks are a group of security vulnerabilities that can be used to attack Wi-Fi devices. Every Wi-Fi device ever created appears vulnerable, making it possible for attackers to steal sensitive data or attack devices on your network. Here’s what you need to know.
What Are FragAttacks?
Disclosed on May 12, 2021, FragAttacks stands for “fragmentation and aggregation attacks.” These are a collection of security vulnerabilities announced together. Three of them are design flaws with Wi-Fi itself and affect most devices that use Wi-Fi.
Additionally, the researchers found programming mistakes in many Wi-Fi products. These are even easier for attackers to abuse than the design flaws in Wi-Fi itself.
The collection of vulnerabilities called FragAttacks were discovered by Mathy Vanhoef, the same security researcher who previously discovered KRACK, an attack on the WPA2 encryption protocol used to secure Wi-Fi networks.
Which Devices Are Vulnerable to FragAttacks?
According to the researchers, every Wi-Fi device ever created appears vulnerable to at least one of the FragAttacks vulnerabilities. In other words, every Wi-Fi device going back to Wi-Fi’s first release in 1997 is likely vulnerable.
That’s the bad news. The good news is that this vulnerability was discovered nine months before it was revealed to the public. In that time, many companies have already released security patches that protect their devices from FragAttacks. For example, Microsoft updated Windows with protection against FragAttacks in the update released on March 9, 2021.
What Can an Attacker Do With FragAttacks?
An attacker can do one of two things with FragAttacks. First, in the right situation, FragAttacks can be used to steal data from a Wi-Fi network that should be encrypted and protected against such an attack. (Websites and applications that use HTTPS or another type of secure encryption are protected against such an attack. But, if you’re sending unencrypted data over an encrypted Wi-Fi connection, a FragAttack could be used to bypass the Wi-Fi encryption.)
This highlights the importance of securing data being sent over a network with encryption—even if that data is just being sent between two devices on your local network. It’s also another example of why using HTTPS everywhere is so important for the future of the web. Browsers are slowly shifting away from HTTP and to HTTPS for good reason.
Second, the researchers say that the main concern is that FragAttacks could be used to launch attacks against vulnerable devices on a Wi-Fi network. Unfortunately, many smart home and IoT devices—especially those created by strange fly-by-night brands that don’t provide long-term support for their devices—do not regularly receive updates. A cheap, inexpensive smart plug or smart light bulb from an unknown brand may be easy to attack. In theory, this “shouldn’t matter” because that device is on a trusted home network—but FragAttacks offer a way to bypass the Wi-Fi network’s protection and attack a device directly, just as if the attacker were connected to the same Wi-Fi network as the device.
It’s more confirmation of the importance of security updates: The devices you choose to use should be from reputable manufacturers that provide security updates and long-term support for their hardware. This even applies to cheap Wi-Fi-enabled smart plugs. Secure your smart home.
What’s the Actual Risk?
First of all, as an attack against Wi-Fi, an attacker would have to be in the radio range of your network—in other words, in your physical vicinity—to execute an attack that used FragAttacks.
In other words, if you’re in an apartment or a dense urban area, there are more people nearby and you’re at a somewhat higher risk. If you live somewhere without other people around, you’re very unlikely to be attacked.
Corporate networks and those of other institutions that might be high-value targets are clearly more at risk than an average home network, too.
As of the disclosure of these flaws in May 2021, the researchers said there was no evidence any of these flaws are being exploited in the wild. So far, they appear to just be theoretical problems—but the public disclosure increases the risk that people will use them to attack networks in the real world.
So FragAttacks are a problem, but remember, this isn’t a “wormable” attack that can spread like wildfire over the internet—an attacker would have to be near you and target your network to attack your smart home devices or try to capture sensitive data. It’s very important that this flaw is disclosed and that device manufacturers issue software patches for existing devices and ensure future devices are protected, of course. And there are some things you can do to protect yourself.
How Do You Protect Yourself?
Thankfully, standard best practices for keeping your devices and network safe will also help protect you against FragAttacks. Here are the top three tips:
First, ensure the devices you’re using are getting security updates. If you’re still using a Windows 7 PC or an old version of macOS that isn’t getting updates, it’s time to upgrade. If your router is getting long in the tooth and your manufacturer never plans on updating it again, it’s time for a new router. If you have smart plugs or other old devices that aren’t getting firmware updates and likely have security flaws, you should replace them with something new.
Second, install those security updates. Modern devices will generally automatically install updates for you. However, on some devices—like routers—you have still have to click an option or tap a button to agree to install that update.
Third, use secure encryption. When signing in online, make sure you’re on an HTTPS site. Try to use HTTPS whenever possible—a browser extension like HTTPS Everywhere can help, but it’s much less necessary now that most websites you visit likely automatically use HTTPS if it’s available. Firefox can even be configured to warn you before loading websites that aren’t encrypted with HTTPS. Also, try using secure encryption everywhere: Even if you’re just transferring files between devices on your local network, use an application that offers encryption to secure that transfer. This will protect you from FragAttacks and other potential future flaws that could bypass your Wi-Fi encryption to spy on you.
Of course, a VPN can route all your traffic through an encrypted connection, so it gives you extra protection against FragAttacks if you have to access an HTTP website (or another unencrypted service) and you’re concerned about the network you’re currently using.
So that’s it: Use devices that are getting updates, install security updates, and use encryption when connecting to websites and transferring data. Thankfully, FragAttacks aren’t yet being used in the wild.
Of course, people who handle security for corporate IT departments will have a huge job ahead of them in ensuring their infrastructure isn’t vulnerable to these flaws.
For more technical information about FragAttacks, consult the official FragAttacks disclosure website.
Why can KRACK be so dangerous?
Cybersecurity experts have discovered a critical weakness in Wi-Fi connections that could make your private information vulnerable to cyber criminals. The threat is called KRACK (key reinstallation attacks) and could allow someone to steal information sent over your private Wi-Fi or any open connections you might access in public places like coffee shops.
KRACK is dangerous because it affects so many people. Most people who connect wirelessly to the internet through Wi-Fi on their phone, tablet, laptop, etc. do so using the WPA2 (Wi-Fi Protected Access) protocol that helps keep your information safe by encrypting it—making it a secret code. Only now, KRACK has made it much less protected because thieves may be able to decypher the code that protects your information, and read it whenever they want.
Cyber criminals can also use KRACK to modify wirelessly transmitted data to and from the websites you visit. You might think you’re going to your bank’s website, when in reality you’re at a fake phishing site made to look like it. You unknowingly enter your username and password, and the thieves now can record that information.
How do I protect myself?
Update your operating system
Update your OS ASAP. In the meantime, Apple, Google and others are presumably working to roll out a patch to protect against KRACK.
Microsoft just announced it included a patch in an October 10th security update. For Windows customers who have their “Windows Update enabled and applied the security updates,” they’re automatically protected from the KRACK threat, according to Windows Central.
However, don’t assume you’re protected. Even if you’re a Windows user, double check you have the latest security updates.
Use Wi-Fi networks only when necessary
Until you’ve installed the security KRACK patch, avoid using Wi-Fi connections, both at home and especially public hotspots. Your home Wi-Fi connection is slightly more secure only because cyber thieves need to be relatively close to your physical location to steal your data. But that doesn’t mean you’re safe at home or in public.
If you absolutely need to use a wireless network, make sure you’re not transmitting confidential info like your SSN, credit card number, or bank information.
If possible, hardwire your wirelessly connected devices back to your modem/router. Cyber criminals can’t steal signals out of the air if they’re not there, so find that yellow ethernet cable you stashed somewhere in a drawer and use it to connect to as many devices as possible.
Update your wireless router’s firmware
Your router’s firmware helps it work correctly with your devices, so keep it up-to-date. When the security patch rolls out, you don’t want any issues with conflicting or unsupported firmware versions. Updating your router’s firmware is a relatively painless process.
Configure your router so only your approved devices can connect to the network. Each of your devices has a media access control (MAC) address that uniquely identifies it to work with the network. Configure your router to only allow listed devices. The process may differ depending on your router brand.
Hide your Wi-Fi network so even those close enough to detect your signal won’t see it listed. Hiding your network won’t stop dedicated hackers from eventually finding it, but it will create another step they must go through, which is your goal until the patch comes through. It’s likely it will take developers some time to adequately address KRACK, so stay vigilant.
Avoid unencrypted websites
Encrypted websites contain an HTTPS at the beginning of their URL’s. The information you send and receive to them is secure. Websites that only use the HTTP are NOT encrypted. So use HTTPS sites as much as possible. HTTPS Everywhere is a browser plugin that automatically switches thousands of sites from HTTP to HTTPS.
Get some good cybersecurity software
Having cybersecurity software always helps mitigate risk. For critical attacks like KRACK, it’s especially important to add as many layers of protection as possible.
What information can be stolen?
Anything you can send wirelessly over the internet. So, pretty much everything. Passwords, credit card numbers, voice messages, pictures, texts, and the like. Again, this goes for both public and private wireless networks, so your info could be stolen while you’re signed in to the library’s Wi-Fi network or when you’re texting someone from your living room. Deactivate your cell phone’s Wi-Fi connection until you’ve gotten the fix from your OS developer or stay on 3G network for data transfer.
Can it affect my devices?
Strictly speaking, no. Neither your wirelessly connected devices nor your router are being directly targeted. Unlike ransomware, thieves aren’t KRACKing into your device and threatening to destroy your information. It’s more of an elaborate heist job than a hostage situation. They want to decrypt the protocol, to eavesdrop on what your devices are saying. They’re interested in the info not who is talking. More importantly, thieves want to go unnoticed.
How did the KRACK vulnerability happen?
Your cell phone and Wi-Fi device (i.e. modem) need to “talk” to each other decide on how to work together transmit data. The language they use is called a protocol, or system of rules. The protocol is encrypted for privacy. It’s like if two people switched to a different language to discuss something privately. If you don’t know the language, you’re in the dark. That’s how your information is kept private when sent over Wi-Fi.
But the KRACK attack gives cyber criminals an opening to decrypt the information sent. It would be like someone bringing an interpreter to the couple’s private discussion. They now can overhear everything that’s being said.
Can I tell if someone’s stealing my info over Wi-Fi?
As of yet, there’s no way to know if someone is KRACKing your wireless access. That’s why it’s especially important to keep an eye out for an update, and to follow the safety recommendations above.
- public wifi
Panda Security specializes in the development of endpoint security products and is part of the WatchGuard portfolio of IT security solutions. Initially focused on the development of antivirus software, the company has since expanded its line of business to advanced cyber-security services with technology for preventing cyber-crime.