Thursday, 26 October 2017

What About KRACK?

A man in panic
It seems some marketing wonks at Norton have noticed the publicity around KRACK, a recently discovered vulnerability in the main wi-fi standard, and have decided to spread some FUD (fear, uncertainty and doubt) in the hope of generating a few extra sales for their VPN package.

I've been contacted by customers who have received scary emails from Norton telling them:
"All Wi-Fi connection points and devices could be vulnerable—your local coffee shop, home, or workplace connection.
KRACK can allow attackers access to important information like credit card numbers, passwords, and emails transmitted over Wi-Fi networks. This vulnerability can also allow attackers to potentially infect your devices with malware or ransomware."
Then comes the sales pitch:
"HIGHLY RECOMMENDED - Consider using a secure Virtual Private Network (VPN) such as Norton WiFi Privacy*, to help protect your data against this new threat."
Personally the last people I would trust to protect my wi-fi would be those who deliberately spread misleading information for gain, but that's a matter of personal (dis)taste.

So what is KRACK? Most wi-fi networks these days are encrypted to protect against eavesdropping, with the commonest form of encryption being something known as WPA2 (Wi-fi Protected Access 2). KRACK (Key Reinstallation Attacks) is a newly discovered way of breaking into WPA2-protected wi-fi networks. It targets the devices on the network, rather than the wi-fi as such, so changing your password doesn't help.

So far, so scary ... why am I suggesting Norton's email was more marketing FUD than engineering reality?

The way Microsoft and Apple implemented WPA2 on their PCs and laptops happens to be resistant to this particular attack, and both have released patches to fix remaining issues, so up-to-date Windows, iOS, macOS, tvOS and watchOS devices should be fine.

If you are sending credit card numbers and the like over the internet, I very much hope you are checking that the website you are sending them to uses https - every major vendor that I am aware of does. Https encrypts your details before they ever get near the wi-fi, so anyone breaking into the wi-fi would only get gobbledegook. Similarly with most passwords; and the vast majority of email providers support something similar (https, SSL or TLS) for email messages.

There are genuine concerns about smartphones. About half of smartphones being used were thought to be vulnerable when the problem was discovered (ironically, the newer ones with an Android version greater than 6.0). Apple phones should already be fixed, and Google's own phones should be updated with a fixed version of Android fairly quickly, but other manufacturers can be slow distributing updates. The comments above about https and other end-to-end encryption methods still apply though.

There are also concerns about the 'Internet of Things' - smart kettles, baby monitors used over the internet, and the like. To be honest, these have such a bad reputation for insecurity that I'm not sure KRACK makes much odds - although hopefully it will increase pressure on manufacturers to get a grip and take security seriously.

There are things that you should do as a result of this scare (under most circumstances buying a VPN service is NOT one of them):-
  • Make sure your Windows/macOS/iOs is up-to-date with its scheduled updates;
  • If you have an Android smart phone and its Android version is 6 or greater (or you cannot see what the version is), contact your phone supplier to ask if it is patched against KRACK;
  • If your printer software asks to patch your printer firmware (check the request comes from the printer software itself, not an email or a website pop-up) then let it.
  • If your broadband router came from your broadband supplier (not all do), contact them to see if they have updated the router software against KRACK.
  • If you are filling in personal information on a website, make sure the website address starts with https (sometimes this is indicated by a padlock) - if it doesn't, you can often add the 's' yourself and it will take you to a secure version of the page.
  • It is a good idea to protect all PCs and laptops with a reputable antivirus (Norton Antivirus is one example), for all sorts of important reasons. I suggest you seriously consider also protecting your Android smartphone with its own antivirus.
KRACK is mostly a major problem for high-level technical infrastructure and in corporate environments. For home users it is largely common sense and not letting the marketeers panic you. 

No comments:

Post a comment