By now, you’ve probably heard the news about KRACK – a security problem discovered in the way wireless devices communicate with each other. Specifically, this flaw allows hackers to snoop in on your network by intercepting traffic from a trusted device or an authorized user that is trying to connect to your Wi-Fi.
Although every threat must be treated seriously, the truth is that most news sources tend to sensationalize stories to grab headlines. This leaves many wondering if the risk is real, Case in point: the WannaCry incident in May 2017 was largely a non-event because it only affected systems that lacked regular Windows patching. But herein lays the danger, as crying “wolf” too often can breed complacency. So, let’s answer a few questions to help you understand the KRACK vulnerability.
Technically, yes. The potential exists for a hacker to connect to your wireless network without knowing the Wi-Fi password. But there is more to this story….
The answer is extremely small. Here is why: First, the attacker must be in wireless range of your network. An attack would have to be carried out by someone within 100 or so feet of your office – even less so depending on signal strengths. That eliminates nearly every hacker in the world from using this vulnerability against you since they would have to be standing right outside your door. Second, the attacker still needs the skills and tools to orchestrate this attack. In other words, they would need to know what they are doing. The tools and instructions are not hard to find but you still must have a technical mindset. Third, they would need to have a motive. Breaking into a network without a clear purpose or specific knowledge of what’s inside amounts to a fishing expedition. Fourth, if someone happens to connect, they still need things like passwords to access systems and data. In summary, the hacker needs to be physically present, to be technically skilled, have a plan, and break through other security layers. That’s no small feat – even for a resourceful criminal.
First, start with maintaining a regular and consistent software patching schedule. A properly patched system is often the difference between being safe or vulnerable. In this case, a properly patched computer is not vulnerable to KRACK attacks. This does not eliminate the problem entirely because of vulnerabilities in Access Points. But it does reduce the problem significantly. Second, every network should be protected by the best possible security layers, including firewalls, anti-virus, anti-spyware, content filtering, and others..These all help arrest or contain specific types of threats. No defense unto itself is impenetrable, but many layers mitigate risks to manageable levels. Third, it is important to standardize on other best of breed technologies, such as Wireless Access Points, for a variety of reasons, including stability, reliability, manufacturer support and security.
Yes, there is much greater concern here. Apple is working on a new version of their iOS software to address the KRACK vulnerability, but it is still currently in beta (read: they’re still testing it). They have not committed to a specific release date as of yet but it is expected in the next several weeks. Android has announced a patch release date of Nov 6. Until then, these devices will be vulnerable to attack – most particularly on Public Wi-Fi.
I realize that using Public Wi-Fi hotspots (think: Starbucks or airplanes) have become a major convenience. However, I strongly urge you not to connect to public Wi-Fi for the next few weeks, especially with Apple or Android based devices. That shady guy hanging out all day in the coffee shop might be trolling for unsuspecting victims.
Indeed, there is! Security is the biggest challenge facing businesses both large and small today. Everyone is at risk. The types of attacks are getting more sophisticated – and so are the hackers. Worse still is that there is a lot of confusion about what is a real threat and what is not. Incidents like this are also illustrating other important measures that must be taken seriously and employed as a standard measure. This includes things like security policies, end-user training, and even advanced proactive scanning. And above all else, know this: IT Security is not a DIY endeavor