The Great WiFi KRACK of ’17: What’s Happening, What To Do

So, you heard about the new “WiFi Hack,” or “WiFi vulnerability” or “KRACK attack,” and you’re worried. Good, you should be worried. But you shouldn’t panic. Here’s a quick, totally non-technical explanation of what’s going on and what you can do about it. (If you want a technical explanation, go to this website: https://www.krackattacks.com.)

Now for the non-technicals: Meet Alice.

Alice

Alice is the package delivery driver who delivers to your company, MyCo. (Or who delivers to your house, whichever.) You know, the cool one, who’s always on time, is super-nice, and will cheerfully wait a second if you are just finishing up a label. She’s awesome.

Bob

Alice has just arrived at MyCo, and she’s going up to R&D on the seventh floor to pick up a package. Bob, the intrepid security guard in the lobby, recognizes Alice. He sees her every day and knows she’s cool. So he lets her on the elevator. If there were any packages in the lobby waiting to go out he’d let her grab them, and if she had any to drop off, he’d let her bring them in.

In this analogy, Bob is your WiFi router, or the WiFi card in your computer, phone, tablet, or other wireless internet gizmo. He “knows” Alice, so he’ll let her onto your network. He doesn’t ask her for ID every single time she goes in and out, because he knows her.

BUT WAIT.

That’s not really Alice!

ted

It’s TED! Ted, the notorious black-hat hacker and ne’er-do-well! But sadly, Bob forgot to put his contacts in, and Alice’s package delivery company includes black hats as part of its uniform. So Bob lets Ted in, thinking he’s Alice.* Ted is now on the elevator and heading up to R&D, having already grabbed any packages in the lobby that looked especially interesting, and dropped off a few filled with limburger cheese and rotten eggs. OH NO!

In this analogy, Ted is a hacker using the “KRACK” WiFi attack. He’s bypassed Bob, the Guardian of WiFi, and is now on your network or has access to your device through its WiFi card. He can see things that are going in and out through your WiFi, and in some cases can intercept and read them, or send things into your network that normally he couldn’t.

So, Ted is headed straight for R&D on the seventh floor. Once he gets there, he can steal anything he wants. It looks bad for MyCo!

BUT WAIT.

Ted did not reckon with Carol!

Carol

Carol is the even more intrepid security guard on the seventh floor, protecting all the secrets of the R&D department. Man, MyCo is lucky she’s on the case! She’s asking Ted for an ID which is on her “allowed to access R&D” list – which of course, he does not have. Remember, he’s not pretending to be Alice: Bob just didn’t realize that he wasn’t Alice, so Bob let him in. Ted’s dastardly scheme is foiled! (Scene where Carol tazes Ted and turns him in, scoring the thanks of a grateful MyCo and a sweet bonus, available on Director’s Cut DVD.)

In this analogy, Carol is the password protection for the devices inside your WiFi network, like individual computers and file servers, or the data on your phone or tablet – which are all stored behind that door marked “R&D”. It doesn’t matter that Ted got in the building and reached the right floor: if he can’t get past Carol, he’s out of luck. He can still see what’s going in and out, so hopefully MyCo uses that nifty tamper-resistant tape on its packages. But he can’t get in to where all the real goodies are, and he can’t drop off any stink bombs inside R&D.

So to sum up, what this new KRACK (it stands for Key Reinstallation something something) WiFi attack does is let hackers who are in range of your WiFi network or device past the password that normally protects WiFi connections. It doesn’t tell them what the password is, and absent further hackery it doesn’t let them change it. It just lets them bypass that part of the security “ecosystem,” as we say. So there’s no need to change your WiFi passwords.

Once they’re in, they’re that much closer to your actual data. They’re through the lobby and off the elevator on the floor where you keep your important and/or embarrassing secrets. So now it’s that much more important to have Carol on the job. And make sure that all your packages are properly sealed.

As for what you can do about it:

  1. MAKE SURE ALL YOUR DEVICES ARE PASSWORD PROTECTED. Every computer. Every phone. Every tablet. If you don’t know how, ask a friendly geek. But you HAVE TO TURN ON PASSWORD PROTECTION. Yes, I know it’s annoying. But you have to do it.
  2. Update your devices. You should always update your devices but now you should REALLY update your devices. And keep updating your devices. The industry has been aware of this for a little while because the researcher who discovered the vulnerability quietly notified them so companies could start fixing it before they announced it to the public. Patches are rolling out and will keep rolling out.
  3. Be extra SUPER careful when using public WiFi. You should avoid it anyway. (Turn on the feature that keeps your device from connecting to WiFi networks automatically and KEEP IT ON.) But until you know your device is secure, no hotel WiFi, no Starbucks WiFi, no airport WiFi. None of it.
  4. This is a REALLY good time to learn to use email and file encryption. If your communications and files are encrypted, it doesn’t matter that Ted can look at them as they go in and out of your WiFi network. Without the right encryption password he still can’t read them.

A lot of lawyers follow me: this is especially critical for them. You are putting not only your information but your clients’ information at risk if you do not address this issue. Don’t do that.

As always, thanks for reading. Questions are welcome in the comments, on Twitter or by email.


 

*This analogy has a problem that some InfoSec people are not going to like, in that what I’m describing might be a better analogy for a “Man in the Middle” attack. But as is so often true when I mix metaphors, I don’t care. Also the better analogy includes things like leaving windows open and losing your keys and that’s too hard to draw.

2 comments

  • Thanks for the best lay explanation that I’ve seen –
    and one that is actually helpful! Very basic questions:

    1 – Is the phone password the same as the unlock or an additional step? Mine has various “password areas” but not everything is in them. I’m not sure how to add a password to the entire phone unless it’s the unlock but will figure it out if needed.

    2 – If no files I care about are saved on a device, and no passwords are saved on it, (so a device with few docs and mainly used to access things online) it seems to me they wouldn’t be able to access anything beyond what’s going in and out (so emails and internet history?), which I can’t really stop anyway (well, my emails are already encrypted, but beyond that). Is that correct?

    3 – Similarly, if I’m on a computer with no password (not mine can’t change) but only do a remote connection (citrix, logmein, etc), it seems to me things done within that connection are safe. Do you agree?

    • Thanks for reading! To answer your questions:

      1) More or less, though it depends on the phone. If you have a master unlock password for the phone, that’s a good first step. Most phones don’t have direct file sharing or admin access through WiFi, so you’re probably pretty safe anyway.

      2) Essentially, yes. As with anything I could probably construct a problem scenario. Heck, I already have, so I’ll do it: they use the KRACK to upload malware to your browser. The malware, through one or more known paths, gets them user or even admin access to your computer. Next time you log on from inside your work/home network, they could theoretically use that access to traverse your computer and get into other machines on that network.

      3) Almost certainly. Most such connections are encrypted. Ask your IT people for verification.

Leave a Reply

Your email address will not be published. Required fields are marked *