Monday, October 16, 2017

WPA2 KRACK (Oh, God no)

It seems a researcher staring at code has discovered a giant flaw in the WPA2 protocol. I hate it when that happens.

WPA2 is the wireless encryption protocol that secures our data between our wireless devices and our routers. This new crack takes advantage of a flaw in the 4-way handshake (trust me on this, I know what I'm talking about) to allow malicious hackers within physical distance of connecting to your router to read your wireless traffic and even inject malicious code onto your device (such as ransomware).

It's important to note a few things. First, this crack cannot be used to attack your device from anywhere in the world. The attacker must be within physical distance to connect to your router's wifi. Second, all unpatched devices as of now are vulnerable. Third, HTTPS and VPN traffic remain secure as long as whatever applications you're using don't bypass those encryption protocols. This caveat mostly applies to apps; browsing HTTPS sites in a web browser is safe.

The good news is this flaw can be patched, and only really needs to be patched on the client side, so if your old router doesn't receive firmware updates I wouldn't freak out about it. What's most important is that your laptops, phones, etc. receive patches. As a temporary precaution I've turned off wifi on my phone, turned off my wifi printer until I really really need to print something (hopefully Epson will have an update available before then, but I have no idea if they're reliable about such things) and am using ethernet on my home network.

What does this mean for OS X and Linux PowerPC users? Linux patches are reportedly on the way, but unsupported OS X systems are likely to remain unsupported, lulz. Tiger and Leopard users may have to rely on "security through obscurity" warm and fuzzies to reassure themselves that hackers would never use this hack to inject malicious PowerPC code onto their systems. But who knows, maybe there's some check box in System Preferences we can tic to make it all go away.

Finally, this applies to everything that connects to your router via wifi -- laptops, phones, printers, wifi bluray players, all of it (hence the "Oh, God no" histrionics in the subject line). I'm starting to get a little ill just thinking about it.

Anyway, here's a decent link to read more if you're insolent enough to require more than my third-hand understanding of these things:

Severe flaw in WPA2 protocol leaves Wi-Fi traffic open to eavesdropping