Yesterday security researchers announced a serious security flaw that affects virtually every wireless device in the world. KRACK (short for “Key Reinstallation Attack) exploits a vulnerability in WPA2, a security protocol that most modern Wi-Fi devices rely on, including computers, phones, and routers.
Rather than exploit access points, a common attack strategy, hackers can use KRACK to conduct “man-in-the-middle” attacks to decrypt sensitive data, eavesdrop on communications, and hijack connections. All they would need is access to your wireless signal (i.e., to be in close proximity to your wireless router).
Security researchers warn that Android & Linux devices are especially vulnerable, estimating that about half of Android phones are in danger of a particularly “devastating” version of the attack. If your Android device is version 6.0 or higher, it’s advisable to disable Wi-Fi and use cellular data until a patch is released.
We also advise that you use a VPN or secure websites (https:// sites with a lock icon in the address bar) whenever possible because they encrypt network traffic. If you are connected to Wi-Fi and find that secure sites keep redirecting you to non-secure (http) pages, your device may be compromised. Hackers can leverage the WPA2 vulnerability along with an https hack to view passwords in plain text.
The good news is that software patches for this issue are already rolling out. Microsoft released a patch for Windows yesterday, while Google has promised to release a fix in “the coming weeks,” starting with its Pixel phones. Apple likewise announced that it has a fix in beta mode. Cisco Meraki, which many of our clients use, is developing patches for Meraki-based Wi-Fi networks and will automatically deploy them once they are available. Kraft Kennedy will be monitoring patch releases for our SPG clients and applying fixes as they are available.
According to a statement by the Wi-Fi Alliance, “This issue can be resolved through straightforward software updates, and the Wi-Fi industry, including major platform providers, has already started deploying patches to Wi-Fi users.”
Note, however, that hardware patches are released by device manufacturers, or, in some cases, cell-providers, and as such there can be no guaranteed time for a fix, as the issue applies to all WPA2 wireless networks.