What We Can Learn From The KRACK WiFi Loophole

Only you can prevent forest fires. And, as the KRACK WiFi vulnerability perhaps demonstrated, only you can prevent hackers from worming their way into your networks and devices, as even established security measures that are presumed to be stable may not be as secure as we think.

As much as consumers, organizations and retailers rely on wireless networks to be secure – indeed, even take it for granted – the fact is that vulnerabilities do exist. Privacy of information cannot be assumed even on home and work networks, to say nothing of shared and public ones.

A flaw like KRACK leaves banking and health systems just as vulnerable as public and retail settings, such as libraries, coffee shops, restaurants and hotels. In case you missed it, here’s the Sparknotes version of why KRACK was a huge deal.

What KRACK Does

Rick McElroy, a security strategist at Carbon Black, explained that KRACK is a security flaw in WPA2, the current home router standard that is used by almost every U.S. home user. When the old router standard, WEP, was found to be insecure, companies trusted that the new standard would protect users and did not take extra measures, such as Active Directory or multi-factor authentication, for access.

KRACK lets attackers impersonate a user who was previously authenticated by tricking the user into reinstalling the crypto key. The key should be random, McElroy said, and each authentication request should cause a new key to be generated.

By recycling a key that already worked, attackers gain a window into traffic over the signal – and worse, they can reroute that traffic to malicious websites or cause it to return fake data and worse.

Today, said McElroy, most devices support WPA2, which means that the flaw doesn’t just leave computers and laptops vulnerable – it also affects smartphones, tablets, smart TVs, anything in the IoT realm and, of course the routers themselves.

Staying Safe

While major providers (Apple, Microsoft, Google) have released patches, creating the illusion that the threat has passed, the fact is that KRACK was not the first or the last loophole to be found by hackers. That’s why it’s important to learn from it. Whether you are simply a consumer (as we all are), a retailer, restaurant owner or even a corporate executive, the WiFi networks you encounter are not immune.

PYMNTS asked security experts to share their best advice for keeping safe online – and keeping online safe. Here are their top five tips (in addition to, of course, running those updates to ensure patches are installed as soon as they’re available, and practicing basic digital hygiene on shared networks.)

1. “Businesses that rely on applications to deliver value to their customers and who need to protect their brand, reputation and their customers’ information, should secure the data and the applications and not just rely on the operating system or network to do it for them.” – Rusty Carter, VP of product management, Arxan Technologies
2. “Users should ensure they have a VPN [virtual private network] installed to protect themselves. A VPN creates a secure, encrypted connection and tunnels traffic to a proxy server. The encrypted connection protects personal data and prevents hackers from accessing or even altering communications over the internet.” – Michal Salát, Avast threat intelligence director
3. “At a fundamental level, it means that you cannot trust that securing your WiFi password is enough to protect your network … The advice we offer for consumers and enterprises that want to protect their executives and employees at home is that they need to be proactive about protecting their own virtual safety. In an enterprise setting, I would also strongly recommend moving to 802.1X network access control, so that the WiFi password is not the only thing required to get access to the network.” – Jim McCoy, former head of Facebook’s security tools team and co-founder of Q-Branch Technologies
4. “Use your cell connection whenever possible. Plug in: Ethernet isn’t always an option, but should be used when available. Practice safe browsing: Make sure you type ‘https://’ before the URL of the website or look for the locked padlock that shows you are using a secure connection. [Finally,] be aware of social engineering attacks: Ensure you are connecting to a reliable public WiFi. If in doubt, ask an employee (bartender, hotel receptionist) for the exact name of the WiFi you intend to use.” – Swapnil Deshmukh, senior director of emerging technologies security for Visa
5. “Protect your device. A significant additional capability is added to mobiles every year, creating more avenues for hackers. Even taking the above steps, you are only protecting yourself from what is known. You need to protect [yourself] from what is as yet still unknown. If you’re serious about keeping your data safe from mobile threats, protect your device using a third-party mobile threat defense (MTD) application.” – John Michelsen, chief product officer, Zimperium

Why It Matters

Experts agreed that a worst-case scenario is unlikely, since an attacker would have to be in range of the router in order to leverage the vulnerability.

However, there are significant threats that could have unfolded thanks to KRACK – and still could, in environments where either patches have not been released, or where individual consumers, retailers and organizations have not run the necessary updates.

Q-Branch’s McCoy said the limited range wouldn’t stop an attacker from rolling into the parking lot of a bank branch office with a laptop and antenna, joining the building’s WiFi and accessing non-encrypted data packets on the network.

Zimperium’s Michelsen said the implications could be significant if an attacker targeted a high-profile CEO or government official. The attacker could retrieve private information stored on the device or listen in to private meetings, then use that knowledge for political or financial gain.

MedCrypt CEO and co-founder Mike Kijewski said that he and other medical device vendors rely on the security of a hospital’s network, as well as those used by patients to access their private healthcare data at home. In healthcare, Kijewski said, security doesn’t just determine whether patient data is safe; it can be a matter of life or death.