I've had a chance to track down more information about the KRACK attack and what can be done to protect against it.
It's what is known as a "Man in the Middle" attack. Someone has to be physically on your network in order to execute an attack on your router or devices. This makes it unlikely to be a problem for home users. And probably not a huge issue for a small library wifi network. But it's always better to patch devices when you can and take precautions.
A few points that can stand further clarification:
- Windows and iOS devices are not particularly susceptible to this breach as WPA2 was never implemented entirely correctly in these operating systems. The protocol didn't work as planned. Neither does the hack. Regardless, both Microsoft and Apple have patches in the works.
- Android 6.0 and higher are most vulnerable to attack. Google is working on patches for Android. Whether or not your device gets an update is largely up to the manufacturer. Most current models will most likely get the patches eventually. Many old ones won't. But these devices have always been vulnerable to attacks. This is just another one to add to the list.
Information of a highly confidential nature that requires a good measure of privacy protection should probably never be done over wifi. If you have such a network, the best advice is to turn off the wifi router and use ethernet cabling to make it a wired LAN. It's always a good practice to use ethernet for secure transmissions.
Other general good practices for wifi networks will help protect you in this instance as well:
- Use a VPN (Virtual Private Network) when you're connected to a wifi network. This creates a kind of tunnel connecting your device to a server owned by the VPN company. That information is not accessible to anyone on the wifi network with you. When your request reaches the company's server, it then proceeds the rest of the way to its destination via the wired Internet. But don't rely on a free VPN. They may not to be reliable or trustworthy. Remember the adage, if the service is free, you're what's being sold. But even a paid VPN can slow you down and they don't work with every site.
We'll look at VPN options in a future post.
- Https Everywhere: https://www.eff.org/https-everywhere
Electronic Freedom Foundation offers an extension for your browser that chooses the secure web protocol https over the unsecured general protocol http when more than one is available on a website. It's available for Chrome, Firefox and Opera browsers. The impetus behind this is reasonable. A secure website connection is better for many reasons including protection from attacks like KRACK. Financial and shopping sites, in particular, should be using this protocol and you should look for it. And, opting for it, when it's available, as this extension is supposed to do, is a good practice. Unfortunately, the extension can also break some sites if there is no https available. Or if the transfer from one protocol to another cannot be completed smoothly. Possibly worth a try, but don't be surprised if you hit some snags.
- Cellular data - using a cell phone's data option is almost always more secure than public wifi. If you're concerned about security, you should probably consider increasing your data plan and reducing your use of public wi-fi. You can also use your cell phone as a modem and tether a laptop or tablet to it for use outside the home.
Steve Gibson makes the point on Security Now that is CLIENTS not ACCESS POINTS that particularly need to be patched. This cartoon shows a reason why.
That said, the other option to protect a network from a man in the middle attack is to update the router. Many router manufacturers are offering firmware updates. It's a good idea to check your make and model number on the manufacturer's website to see if there are updates available. Protecting the router becomes particularly important when you're running a network with a lot of IoT (Internet of Things) gadgets on it: doorbells, cameras, light switches, thermostats, etc. Cheaper gadgets, like cheap Android phones, will probably never get updates or patches. So they are best protected from the router side. If your wireless router is so old that you have no way to update it, it may be time to get a replacement.
For more information on the KRACK Attack
- Steve Gibson gives a technical explanation and his recommendation in Security Now show notes. See the section toward the end on KRACKing WiFi
- An analysis of the vulnerabilities and solutions from the discoverers of the flaw. Note particularly the Q & A portion
- From ALA: The KRACK Attack and Libraries