As many people have read or will soon read, there is a vulnerability in the WPA2 wireless protocol called KRACK. An attacker within the wireless communications range of an affected AP and client may leverage these vulnerabilities to conduct attacks that are dependent on the data confidentiality protocol being used. Impacts may include arbitrary packet decryption and injection, TCP connection hijacking, HTTP content injection, or the replay of unicast, broadcast, and multicast frames.
So here’s what to do now that the WPA2 protocol is vulnerable:
Update all the wireless things you own
So you should update all your routers and Wi-Fi devices (laptops, phones, tablets…) with the latest security patches. You can also consider turning on auto-updates for future vulnerabilities as this won’t be the last one. Modern operating systems have become quite good at auto-updates.
Update firmware your router
To help with this, we have created a list of known information regarding various WiFi vendors and whether new drivers are available. As this vulnerability is fairly new, there is little information available, I advise you to check this page throughout the coming days to see if new information is available. This page includes information resulting from contacting of vendors, CERT’s informative page, and other sources.
|Vendor||Status||Date Notified||Date Updated|
|Aerohive||Affected||30 Aug 2017||17 Oct 2017|
|Arch Linux||Affected||28 Aug 2017||17 Oct 2017|
|Aruba Networks||Affected||28 Aug 2017||09 Oct 2017|
|Broadcom||Affected||30 Aug 2017||17 Oct 2017|
|Cisco||Affected||28 Aug 2017||16 Oct 2017|
|Cradlepoint||Affected||–||17 Oct 2017|
|Debian GNU/Linux||Affected||28 Aug 2017||17 Oct 2017|
|Digi International||Affected||–||17 Oct 2017|
|eero||Affected||–||17 Oct 2017|
|Espressif Systems||Affected||22 Sep 2017||13 Oct 2017|
|Extreme Networks||Affected||28 Aug 2017||17 Oct 2017|
|Fedora Project||Affected||28 Aug 2017||17 Oct 2017|
|Fortinet, Inc.||Affected||28 Aug 2017||17 Oct 2017|
|FreeBSD Project||Affected||28 Aug 2017||17 Oct 2017|
|Affected||28 Aug 2017||16 Oct 2017|
If your router doesn’t yet have a fix,don’t worry, you could Ethernet into your router and turn off its wireless function until it’s patched (assuming WiFi can be disabled on your router). Turn off WiFi on your device as well so that you’re sure all traffic goes through that Ethernet cable.
If you still want to keep WiFi for some devices, consider switching to Ethernet for your essential devices. For instance, if you spend hours every day on a computer and use a ton of internet traffic from this computer, buy an Ethernet cable.
Consider using cellular data on your phone
Your phones and tablets don’t have an Ethernet port. If you want to make sure nobody is watching your traffic, disable WiFi on your device and use cellular data instead. This isn’t ideal if you live somewhere with a spotty network, pay extra for mobile data, or if you don’t trust your telecom provider.
Devices running Android 6.0 and later are more vulnerable than other devices. It is trivially easy to perform a key reinstallation attack because of a bad implementation of the handshake mechanism in the WiFi stack. So Android users do need to be more careful.
Install the HTTPS Everywhere extension
As mentioned above, you can mitigate risks by prioritizing encrypted internet traffic over unencrypted traffic. The EFF has released a neat browser extension called HTTPS Everywhere. If you’re using Google Chrome, Firefox or Opera, you should considering installing the extension.
If a website offers unencrypted access (HTTP) and encrypted access (HTTPS), the extension automatically tells your browser to use the HTTPS version to encrypt your traffic. If a website still relies exclusively on HTTP, the extension can’t do anything about it. The extension is no use if a company has a poor implementation of HTTPS and your traffic isn’t really encrypted.
Don’t rely on a VPN as a solution
On paper, using a VPN server sounds smart. But we’ve been there already — be careful with VPN services out there. You can’t trust any of them.
When you use a VPN service, you reroute all your internet traffic to a VPN server in a data center somewhere. An attacker can’t see what you’re doing on your WiFi network, but a VPN company can log all your internet traffic and use it against you.