Are your devices open to the Wi-Fi encryption flaw, and if so, what can you do about it? Here’s a guide.
So you've read about the KRACK vulnerability in Wi-Fi's WPA2 protocol, but what are you going to do about it?
There’s not a lot you can do, apart from applying the relevant software or firmware updates as soon as they become available. Switching from Wi-Fi to Ethernet connections where possible does protect against the issue, but that's not practical in many situations.
But unless you have particularly high security requirements, KRACK isn't something you should be panicking about. It's a local vulnerability, so it's not something that can be exploited on a large scale, or – unless there's already a compromised device on your network – from the other side of the world. So far, there are no reports of real-world exploits.
In any case, most important internet traffic is already encrypted – now do you understand why Google and others have been pushing for the universal adoption of HTTPS rather than HTTP? This reduces the usefulness of any intercepted data to a snooper. Using a trusted VPN extends that protection to HTTP traffic, but such services come with their own issues.
Local traffic, for example files travelling between two computers, is less likely to be encrypted, so think about what you're transferring.
How are the patches coming along?
The good news is that Microsoft had already released a patch for the issue before KRACK became public knowledge. The patch was part of the security update released on 10 October, so if your Windows systems are set to update automatically they should already be protected. Now's the time to check that mechanism is working properly and your systems are up to date.
Apple reportedly included a patch in recent betas of its operating systems (macOS, iOS, watchOS and tvOS), with updates expected in the next few weeks. At this stage we don't know which versions of the operating systems will be protected. There are suggestions that KRACK is not easily exploited on iOS 11 or High Sierra, which should reduce anxiety levels for a lot of users. There is no word of updates for Time Capsule and the AirPort family.
The wpa_supplicant Wi-Fi client for Linux-based systems has been patched, and that has flowed through to Debian, Red Hat Enterprise Linux and other distributions.
Android reportedly won't be patched until early November, and it's likely to take a while longer before updates are widely available from device manufacturers. Given those manufacturers' track records, it seems likely that many older devices will never be patched. Android 6 Marshmallow and later has a particular problem in that until the issue is fixed there is a risk that Wi-Fi traffic can be manipulated, not just examined.
All types of Wi-Fi devices are likely to be vulnerable, so keep checking with the vendors of your Wi-Fi routers, access points, printers, and so on. Remember, that list increasingly includes security cameras, TVs, smart speakers and other things that we tend not to think of as part of the IT picture.