If you ever walked into your business office and your iPhone, iPad, Android Phone or your notebook computer automatically re-connected with your company’s Wi-Fi Router, you may be vulnerable. If you walk into a Starbucks, or your home office or den, and automatically re-connect with a router in those locations, then you may be vulnerable, too.
This latest security problem is called KRACKs (an acronym for Key Reinstallation Attacks). Several months ago, researchers reported that the mainstream encryption protocol now embedded in just about every router on the planet, called Wi-Fi Protected Access II (or, more simply WPA2), has a serious vulnerability that could allow any connected device to be breached, malware inserted or data streams co-opted by bad actors. Some consider KRACK to be one of the most serious business and consumer threats over the last several years, and we’ve had our fair share of them. The reason is simple: there are so many computing platforms and other IoT (Internet of Things) devices such as NEST Thermostats, refrigerators, TiVos, Apple TVs, baby monitors, home security systems, Apple Watches, Roku & Xboxes, all connected via home or business routers, that tens of millions of devices are now extremely vulnerable. Heck, even my EV auto has built-in Wi-Fi!
While the researcher informed the United States Computer Emergency Readiness Team (US-CERT), a division of the Department of Homeland Security, about this vulnerability, US-CERT only shared this information with the router manufacturers and the device developers so they had time to update their software to close the breach. Within the last few days, this information has been released to the public. Here’s the “public” alert posted on the US-CERT website. The reason US-CERT kept this close to the vest in the short term is so that bad actors would not be tipped off about the vulnerability while the vendors worked to correct it with patches and software updates. This is one of those “fine lines” between our right to know vs. what we don’t want the bad guys to know. The experts have suggested that this vulnerability did not leak to the dark web, but that doesn’t mean we are all in the clear.
Here’s an Ars Technica story that goes into some detail about the nature of the breach. And, Ars Technica did a 2nd day follow-up story for those of you who are really into cryptographic security issues. Caution: it’s a deep dive, so be forewarned!
Update Your Router and Connected Devices
What should you do? If you regularly update your Apple (Mac OS/iOS) or Android devices, make sure you have the latest updates on ALL of them…phones, tablets and computers. If you use Microsoft Windows on a notebook computer with Wi-Fi capabilities, use the Microsoft software updater to ensure you have the latest updated version of Windows 10 OS on your computer. If you have an Apple TV, TiVo, Roku, NEST thermostats or similar devices with built-in Wi-Fi, these manufacturers may also provide software updates. However, you may need to manually go into the devices’ dashboards and click to update the system software. If you have an in-home router, you will need to access your router’s dashboard and have your system check for a firmware update. Many in-home routers can be accessed by entering 192.168.1.1 (the router’s factory-set IP address) in your browser bar while you are on your in-home wireless network. You will need your router’s administrative login User Name and Password, but once you are into the back-end administrative area of the router, you can easily update your device. Check your router installation instructions for more details. Most router manufacturers (ASUS, Cisco/Linksys, Netgear and others) have already begun to push out firmware updates to close this vulnerability on the router side. You’ll still need to make sure both your in-home router and your connected devices are all updated as well, since these consumer routers do not generally auto-update.
While you can go through the process of updating your business and home Wi-Fi routers and your many devices, how about your corner Starbucks? LA Fitness? Anywhere that you can connect with a public or private Wi-Fi network could be problematic if these locations have not updated their routers’ firmware. “Caution” is always the word of the day!