You may have heard about it in the news, earlier this year two researchers from the University of Leuven, Belgium submitted their research for review, exposing a flaw in our WiFi security. They discovered a critical vulnerability they dubbed, KRACK, which affects the WPA2 security of ALL client WiFi devices. For clarity, examples of client devices are your WiFi connected smart home devices, laptop, phone, tablet, e-reader, etc.
Is this something you need to be concerned about? Short answer is, YES!
If you’re using any Android device, it is of particular concern, because this attack executed on an Android-based client can result in a complete breakdown of the devices wireless security until this is patched. Fortunately, the security patch is relatively simple, but you can expect manufacturers will want to test it to make sure it doesn’t cause issues before releasing. Expect to see big companies like Apple publishing it as beta (aka, not ready for primetime) at first.
Devices such as WiFi access points are at lower risk, unless they also act as client devices themselves to connect to other access points. Examples are wireless extenders and the new “Mesh Network” devices such as Eero, Google WiFi and Linksys Velop that connect together to extend wireless access throughout your home. However, unless you’re very tech-savvy, you may not be aware of a client capability your wireless router has, and there is a long history of exploits against wireless routers. Although less likely, it’s not impossible that a router could be attacked, have its client capabilities enabled, and then compromised. Therefore, please do update if possible, or check that your ISP has done this for you, if you are one of them millions that rent a wireless router as part of your Internet service.
How quickly smart home devices are going to be patched against this attack is anyone’s guess. The good news is many companies are taking this more seriously and reacting, now that it’s out in mainstream media. It’s also good news that many devices such as Insteon, Philips Hue and Lutron Caséta are unaffected by this, since they’ve never supported WiFi to begin with.
Although many companies already use HTTPS encrypted traffic, the researchers warn that this was easily bypassed in a “worrying number of situations”. The good news is, if you’re able to use a VPN connection to encrypt all your Internet traffic, you’re safe from attack, because all of your data is encrypted, and therefor unusable to an attacker the entire time you are connected to the VPN service.
Additionally, Mac and PC users do not need to be concerned, because the WPA2 protocol was never properly implemented by either Microsoft or Apple, which consequently made them immune to the attack, and official patches are already available.
Should you update everything you own that connects by Wi-Fi? In a word, yes, but since it may be very difficult to know whether or not the manufacturer has updated your device automatically, or if it must be done manually, whenever you have the opportunity to connect securely via a VPN, we recommend you do so. This will make your life easier and take a lot of worry off your mind. It’s also important to know that this attack is very sophisticated at the moment, and requires an attacker to be within radio proximity such as free Wi-Fi in a coffee shop. But, black hat hackers do not wait to take advantage of vulnerabilities like this, and you can be sure a method of simplifying this attack is in the works, seeking those that are unknowingly still vulnerable.
To find detailed information about the KRACK vulnerability, be sure to visit the EFF post about it. For a list of updated devices and those not yet updated, BLEEPINGCOMPUTER is one site taking the lead on tracking this complicated issue.
Have a comment or question? Please gives us your feedback in the comments sections and do join us in the discussion on Twitter @smarthomeprimer where you'll find us posting about the latest news in IoT and smart home innovations.
Have a comment or question? Please gives us your feedback in the comments sections and do join us in the discussion on Twitter @smarthomeprimer where you'll find us posting about the latest news in IoT and smart home innovations.