3 min read

How to protect yourself from the "KRACK" Wi-Fi attack

Filip TRUȚĂ

October 18, 2017

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
How to protect yourself from the "KRACK" Wi-Fi attack

Earlier this week, a researcher from the University of Leuven discovered a critical flaw in the WPA2 wireless communication standard that leaves all Wi-Fi-connected devices vulnerable to attacks. Now, we will lay out simple steps users can take to mitigate risk until the Wi-Fi Alliance comes up with a fix.

As we wrote yesterday, researcher Mathy Vanhoef confirmed that “an attacker within range of a victim can exploit these weaknesses using key reinstallation attacks (KRACKs).”

Attacks would be platform-agnostic – meaning no operating system is immune – and would theoretically work against all modern protected Wi-Fi networks. It is worth noting that no attacks exploiting this flaw have been recorded yet, but it”s better to be safe than sorry.

The Wi-Fi Alliance has drawn up a plan to remedy the situation, but it”s going to be a while before WPA2 is fully patched.

For its part, the United States Computer Emergency Readiness Team (CERT) has published an advisory in response to the news and even lists all known affected hardware and software. As the Wi-Fi alliance and product vendors scramble to come up with patches, here”s what you can do:

Install whatever update / patch is already available

If your vendor already has a patch available, grab it. It might not be easy to obtain and install, but if you care about your data and privacy, you should make the effort to patch. Typically, routers need to be patched manually by visiting the vendor”s website, downloading the patch and feeding it to the router through a web tool.

Use AES encryption

Both AES and TKIP are vulnerable to KRACK. However, AES is not vulnerable to packet injection, so you can continue using WPA2 with some peace of mind as long as it”s encrypted with AES (not TKIP).

Visit only HTTPS-secured websites and/or use VPN

HTTPS negotiates its own security layer, so every website secured with HTTPS (TLS) is theoretically safe to visit. For greater peace of mind, use a trusted VPN service to encrypt inbound and outbound transmissions. HTTP sites are not safe – not just because of KRACK, but in general.

Use lower-risk devices if you can

Soon after KRACK came to light, it was confirmed that virtually any device that sends and receives data over Wi-Fi is vulnerable. However, Vanhoef said Android devices running OS version 6.0 or newer are the most vulnerable because of a flawed implementation of WPA2. So maybe use a non-Android device until things get cleared up. This is not a remedy, of course, but merely a “safer” option for the types who dual-wield phones and tablets with different OSes anyway.

Desktop-wise, researchers discovered Linux is the most vulnerable operating system, so consider using a Windows PC or a Mac in the meantime – again, if you can.

Avoid public Wi-Fi, use Ethernet at home and at work

Public Wi-Fi hotspots are the most vulnerable at this point, so avoid them as much as you can. At home or at work, use a wired network if your computer allows it. This means connecting an Ethernet cable to your computer, instead of connecting to the web through Wi-Fi.

Update Windows

If you’re a Windows PC user (and chances are most of our reader base is), Microsoft”s October 10 update protects Windows 10 PCs against KRACK. The Redmond-based software maker confirmed it in a statement to Windows Central:

“Microsoft released security updates on October 10th and customers who have Windows Update enabled and applied the security updates, are protected automatically. We updated to protect customers as soon as possible, but as a responsible industry partner, we withheld disclosure until other vendors could develop and release update,” Microsoft said.

If your PC has automatic updates enabled, you”re good. If not, you have to manually fetch it via Windows Update. We suggest you do it now.

(Remeber that updating Windows protects only your Windows device from a potential attack. Your other devices will still have to be secured either with a patch or via the steps enumerated above)

For Apple users and others

Apple has confirmed to the press that it is beta testing new versions of iOS, macOS, watchOS and tvOS containing a patch for KRACK. No word on when the final/public versions will be released, though. Typically, Apple spends at least two months testing beta OSes for its platforms.

Google, for its part, has also confirmed it is aware of the issue and will be rolling out patches soon. Linux suppliers are also on the case (word has it that patches are already being deployed).

So pretty much everyone is left with the general tips above until their vendors deploy the updates.

As always, running a trusted AV solution further enhances your protection. Even if a hacker successfully deploys a KRACK attack, you still have your anti-malware solution by your side in case the attacker wants to redirect you to malicious or fraudulent websites, or tries to drop a malicious file on your system.

That’s it. Stay safe everyone!

tags


Author



Right now

Top posts

Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

November 29, 2022

2 min read
How to monitor your online privacy during your Thanksgiving trip

How to monitor your online privacy during your Thanksgiving trip

November 22, 2022

3 min read
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

November 16, 2022

6 min read
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

November 14, 2022

5 min read
Cyber Tips for a Spook-Free Halloween

Cyber Tips for a Spook-Free Halloween

October 26, 2022

3 min read
August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August 31, 2022

4 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Hacking cars remotely with just their VIN Hacking cars remotely with just their VIN
Graham CLULEY

December 05, 2022

2 min read
Russian courts attacked by CryWiper malware that poses as ransomware Russian courts attacked by CryWiper malware that poses as ransomware
Graham CLULEY

December 05, 2022

2 min read
Android App in Google Play Store Was Harvesting SMS Messages Helping Criminals Create New Accounts Android App in Google Play Store Was Harvesting SMS Messages Helping Criminals Create New Accounts
Silviu STAHIE

December 02, 2022

1 min read