Security researcher Mathy Vanhoef publicly disclosed a serious vulnerability in the WPA2 encryption protocol yesterday that affects all devices that use WiFi. While we’ve listed many ways to protect yourself against KRACK, the best way to completely eradicate it from your network is to update all your WiFi devices. And some companies have been faster than others.
First, you should update your WiFi access point. If you’re using your default ISP router, there’s not much you can do about it. Ask the company if they patched it, look for the user guide to find out how you can access the configuration panel and force an update.
If you’re worried, you can also buy a separate WiFi access point, plug it to your router and disable WiFi on your router. Owen Williams has been doing a good job tracking the status of all the various updates, even if you have an access point from an unknown vendor. Ubiquiti, Microtik, Meraki, Aruba and FortiNet updated their respective firmware in no time.
But updating your access points isn’t enough. You also need to update your devices. Otherwise, if you connect to an unknown WiFi network that hasn’t been patched, somebody can still look at your unencrypted internet traffic and collect some sweet personal data about you.
So let’s look at the device makers. Microsoft is leading the charge here. The Verge first reported that Microsoft has already issued a security patch for Windows 7, Windows 8, Windows 8.1 and Windows 10.
Apple also has a patch up its sleeve as iMore reported. Unfortunately, the company is going to wait until the next big release to share the fix. So it means that you can already fix the KRACK vulnerability by downloading the beta versions of macOS, iOS, tvOS and watchOS. Otherwise, Apple is going to release macOS 10.13.1 and iOS 11.1 in the coming weeks with other bug fixes, new emojis and more.
Update: An Apple spokesperson has sent me the following statement:
“Apple is deeply committed to protecting our customers’ data. The fix for the KRACK WiFi vulnerability is currently in the betas of iOS, macOS, watchOS and tvOS and will soon be rolled out to customers.”
But what about Android devices? This is where it becomes tedious. Devices running Android 6.0 and later are more vulnerable than other devices. It is trivially easy to perform a key reinstallation attack because of a bad implementation of the handshake mechanism in the WiFi stack.
Google said that the November 6 patch would fix the issue. Google’s own devices will receive the update instantly, but it’s going to take some time before device manufacturers and carriers approve the update. In fact, it could take weeks or months. Android fragmentation isn’t ideal in those cases.
But there’s one thing for sure. The KRACK vulnerability proves that you should install security updates as soon as they’re available. Turn on auto-updates on your devices and click yes if your device prompts you about a patch.