KRACK: The Most Dangerous Hack Since Equifax & What To Do About It.
If you happen to be someone who owns the most common kinds of technology — smart phones, tablets, computers — then it’s essential that you remember this: you’ve also signed up to keep that technology up to date and safe. Failing to regularly update your technology can and does lead to security risks that can affect you and others.
In July of this year (2017), an unusually malicious exploit was discovered by researchers that affects all modern, protected Wifi networks. Far more dangerous than a simple hack, the researchers shockingly discovered that the actual protocol used to establish most wireless networks — something called WPA2 — was actually flawed in how it was engineered. The researchers — using their best tech jargon — named the exploit with the super-easy-to-remember name: WPA2 Key Reinstallation Attack. However, since no one has time for that many syllables anymore, it was reduced to only those letters you see here in bold: WPA2 Key Reinstallation Attack.
That’s right, friends, say hello to the KRACK exploit! It allows hackers with the right tools to compromise a wireless network, allowing them to view data that unknowing victims on the network transmit or receive. Any WiFi-enabled device that you use on a compromised network — including smartphones, tablets, computers, streaming boxes and more — are fair game.
If you’ve ever used a WiFi-enabled device to transmit a password, social security number, home address or bank information, then this is a big, freakin’ deal, to put it mildly.
If you want to better understand how the KRACK exploit works, but you aren’t an IT professional, here’s a really well made video that explains the basics and is still really funny:
For those of you who want to see the original video made by the researchers who discovered the exploit, please watch the second video. The terms mentioned in the video — “man in the middle”, “rogue channels” or “4-way handshake” — might seem a bit difficult to understand, but watch through to the end: there, the researcher easily and clearly demonstrates how a malicious hacker can easily grab your username and password, even from a website that’s supposed to be encrypted and, therefore, safe. It’s eye-opening to the point of alarming.
It’s now been three months since the exploit was discovered. Earlier this month, the KRACK exploit was finally announced and explained to the public. If you’re curious about the three month delay, it’s common practice to give manufacturers some lead time to develop patches that can fix the exploit. That way, when a problem of this scope is announced, a worried public can rely on having solutions offered to fix it.
And that, friends, is why we’re here today: so we can learn what can we all do to protect ourselves. The short-term cheat: use a world-class VPN on every WiFi-enabled device that you own. A VPN will encrypt data via the VPN company’s servers, even if the wireless network is compromised.
The problem, obviously, is that you can’t install VPN software on your Nest Thermostat, Alexa Echo, Google Home or other smart home devices. Instead, the long-term and more appropriate fix is this: update the software for all of your technology. Here’s the breakdown…
Update your computers. Most computer manufacturers have now released patches so you can update your computers. Run the software update applications on each of your personal computers and then restart. Then do this a second time. No, I’m not joking: in some cases, if you’re behind on your updates, you’ll have more than one round of updates and restarts to perform. One caveat: if you use a work laptop, confirm with your IT department if you’re able to update your own device. If you cannot, pressure them to update your computer for you. Use the links below to get started:
- Apple, this week, released new security updates to patch for this hack and others.
- Microsoft released their patches on October 10th for Windows 7, Windows 8, Windows 8.1 and Windows 10.
- Ubuntu, the most popular Linux OS for home users got patched back in July, so nice job, open source heroes!
Update your computer’s WiFi cards. Manufacturers like Intel and TP-Link make network cards that many people have installed inside of their desktop and gaming computers. If you use a desktop PC, you’ll need to update all drivers for all installed 3rd party cards with a WiFi chip. Here are links to the two most popular vendors:
- Intel — Intel has created a page for all of its affected products. There you can find updates for each device that you can download and install.
- TP-Link — has an alert page here. Patches due out soon. #Hopefully
Update your Chromebooks. This week, Google released a patch for ChromeOS, v62. Take advantage of this and update your Chromebooks now. If you don’t know how to update the ChromeOS, learn how by clicking here.
Update all iOS devices. Apple, this week, also released updates to iOS, covering all iPod Touches, iPhones and iPads. Update every iOS device you own using these instructions.
Update your wireless routers. Your router (and yes: you most certainly have one) is the device that shares your connection to the internet with other devices in your home or business. Thus far, only a few of the most popular makers of routers have released patches, which is both annoying and outright irresponsible. Below, are two lists to check. If you see that your company is offering an update, download it and follow the instructions on how to update your router. More likely, if you do NOT see that the manufacturer of your router is offering an update then… call them out publically on Twitter. True story: companies don’t like bad press or attention. The same day I tweeted this to Linksys, they updated their security advisory page to mention the KRACK issue. Still no stinking updates to their firmware yet, but I’m watching you, Linksys. I’m watching.
Update all Apple smart devices. As of this week, patches to fix the KRACK issue are now available for all of the following Apple devices. Click on the links I provide to learn how to update the software on each.
Identify other devices you own which require patching. Because the KRACK exploit can affect any consumer electronic device that uses WiFi, it’s essential that you go through your home and check that every single WiFi device can be patched or already has been. Some companies can update their products automatically so that you don’t have to. Others require you to do the updating. Know which is which.
- Nest devices—Earlier this month, the company’s twitter feed stated that they’d automatically roll out updates to all Nest products within a few weeks. Sure enough, they’ve begun that process. Next Thermostats and cameras have been updated. Other products should come soon. Pressure them on Twitter to deliver on those promises.
- Amazon — “We are in the process of reviewing which of our devices may contain this vulnerability and will be issuing patches where needed.” Here’s my translation in case you don’t speak TechTalk: “Go suck an egg, Punkchops.” This is one of the many reasons, I’d never buy an Amazon consumer electronic device. They’re simply not a hardware company and this demonstrates why.
- Google — announced they’ll patch Android OS soon. I reached out to them via Twitter, but haven’t gotten a response. Searching for the term KRACK on their Android support site? Can’t find any results…
- Samsung — is aware of the problem and will roll out updates soon. Searching for the term “KRACK” on their support site? Can’t find any results…
- Phillips Hue products — appear to be safe as their products use a different type of network than WPA2 WiFi.
- Synology Network Attached Storage (NAS) devices — Patch has been released. Download and update your home NAS box.
Turn on automatic software update on your computers. Put your technology to work for you by helping you save time. Activating auto software updates allows your computer to update itself for you, so you don’t have to. Every desktop computer allows you to do this and manufacturers all provide information on how to set this up on your home computers. Follow the link to read the simple set up for each operating system below:
- Microsoft Windows 10 and Microsoft Windows 7
- Ubuntu Linux
- Debian Linux
- Centos & RedHat Linux (yum-cron!)
I’d recommend that you turn on automatic software updates for your mobile devices but, currently, there is no such thing. Apple comes close by auto-alerting you that software updates are available, but you must then agree to the update. One nice feature, however is that you can choose — in advance! — to update iOS while you sleep, something you can learn about here.
That’s it for now, everyone: we made it. If you think I missed anything, please let me know in the comments below and I can update this piece as needed as a living document.
Take care and surf safe!