Have you updated your routers and internet connected devices yet?
Originally posted on the Blackstone Forge blog by Danish Baig
There you are sitting at home in your favorite couch, sipping on tea, and browsing the web with your usual WIFI enabled device, which by the way is connected to a secured wireless network. On your device, you start logging into your banking app, glance at Facebook, make a few online purchases, and download a few sensitive documents to read. Little do you know that someone right outside your home is intercepting and decrypting most or all of your transmitted data. With little effort, this person now has access to a few of your passwords, personal data, and other sensitive information.
Sounds scary right? Well, this can potentially happen to anyone with a WIFI enabled device that hasn’t been recently patched. Most importantly, many people may not even realize that their data has been compromised because they believed to be safe while connected to a secured wireless network. This is all possible because of a recently exposed WIFI vulnerability in the WPA2 protocol that affects most, if not all, client WIFI enabled devices.
Hackers can use a method called Key Reinstallation Attack aka KRACK, by exploiting an encryption key in a 4 way handshake process that’s involved in the WPA2 protocol when transmitting packets. Using this attack, a hacker can intercept and decrypt the victim’s data without knowing the password to the WIFI network. Of course, the attacker needs to be on the same network as the victim, but because WIFI is available in most places these days, this makes the attack very dangerous. In some cases, hackers may also have the ability to inject malicious code and malware into sites. To read more and learn about the KRACK ATTACK, visit https://www.krackattacks.com/.
Microsoft has already released a patch that fixes this vulnerability. Currently, Apple and Linux have yet to release one, but I imagine it will be very soon. Most wireless routers and access points (APs) are safe, but it’s best to check with your vendor and update to the latest firmware.
I know most people usually don’t update their smart devices, routers, APs, passwords, or backups right away. However, this is the time to learn and implement some “best practices”. Whenever your smart device or OS manufacturer releases an update, download and install it as soon as possible. Make it a habit to change your passwords frequently. Always ensure you have a backup of your data and keep it updated. Be vigilant and keep an eye out for anything out of the ordinary when browsing sensitive information or making financial transactions.
Here are some tips to help prevent this type of attack and to keep your data protected:
• Patch all your wireless devices (this includes your access points and routers) with the latest updates and keep them updated regularly
• Always make sure HTTPS is enabled and visible when browsing a secure site
• Use a wired connection or your mobile carrier’s data for sensitive apps or websites until a patch for your device is released
• Change your passwords frequently (I also recommend using sentences for passwords)
• It’s never good to be on an open WIFI network, but if you’re ever on one, try using a VPN to help encrypt your data
• You can also use browser plugins such as HTTPSEverywhere or ForceTLS to enforce HTTPS wherever possible
• Always have a recent backup of your data across all devices
You can find the official CVE details and report from the people who discovered KRACK at the links below:
• https://www.kb.cert.org/vuls/id/228519
• https://www.krackattacks.com/
These are just some steps you can take to help protect your information against this or other “man in the middle” attacks. It’s also a good idea to keep up with the latest security trends, vulnerabilities, and solutions. I myself have subscribed to a few tech news sites and major Anti-Virus vendors, so I can notified of the latest tech stories or hacks. Be safe on the web, be smart with your technology, and always keep security in mind.
Launched in Arlington, Virginia in 2002, Blackstone Federal is the beltway’s premier engineering, transformation, and creative design agency. Rooted in a common culture, Blackstone Federal employees bridge the gap between the beltway and Silicon Valley to create a company unlike any in DC.
Learn more about Blackstone Federal at blackstonefederal.com .
