I’ve had a rant on social media about this, now it’s time to collect that information somewhere a bit longer lasting. There’s a lot of FUD about #KRACK or #WPA2KRACK, the Key Replacement AttaCK affecting WPA2, so I thought I’d share some thoughts on it.
The most important thing people need to know is, there’s not actually much you need to do or worry about. Follow current best practises, and you should be fine. Nothing much should really change for most people.
The basic summary of what has happened is, most WiFi networks are protected by WPA2-PSK or WPA2-Enterprise. As of today, WPA2 can now be cracked. Network traffic on WPA2 protected networks can be read and have data injected in to it. A lot of FUD news articles will be telling you to panic and all WiFi in itself is broken. In the wise words of The Hitchhiker’s Guide To The Galaxy, don’t panic. WiFi itself isn’t broken.
For starters, the problem itself is patchable. Although, that doesn’t necessarily mean it will be. Some of the larger vendors at time of writing look like this:
- Microsoft: The 10th October updates included the patch.
- Apple: The next updates include the patch (macOS, iOS, tvOS and watchOS). AirPort devices, no word on if anything is ever coming.
- Android, HAHAHA good luck with that (this is another rant in itself I’ll save for another time).
- WiFi Access Points (WAP’s/AP’s) are hit and miss as to whether they’ll get updates. Look here.
- IoT devices such as Smart TV’s are unlikely to ever see patches.
But, as I said before, don’t panic. Even if your devices aren’t going to be patched.
For someone to exploit this, they need to be in range of your WiFi network. Do you really think your TV viewing or any other data your TV / unpatchable devices may store will be valuable enough for someone to sit in their car outside your house to try and steal this data? It isn’t.
The data that’s valuable to them is stuff like banking transactions which are performed over SSL. In fact, most of what you do online is performed over SSL these days. That’s why https connections are better than http. Even your social media time wasting (and reading of this blog) is protected this way.
Your home network isn’t likely to be targeted. This exploit is more likely to get used against businesses. Any business worth its salt will have things secured as though an unwanted person has already gotten inside their network perimeter anyway.
You don’t need to panic, you are very unlikely to be targeted, or even affected.
I said above that as long as you follow best practises you should be fine, but didn’t detail what they were. These are NOT just for IT pro’s. These are for everybody. Even home users. Do as much of these as you can. Please.
- If you have a tendency to use shared wifi, get a VPN. Either a paid product (I use Private Internet Access) or configure your home router to accept VPN connections from your devices. You don’t know who else is using the shared wifi you’re on and what they’re doing on it, so protect ALL your traffic.
- Use a password manager. Lastpass, 1Password, KeePass, etc. They’re all good (I use LastPass). They’re all better than using the same password in multiple places. Let it import accounts from your browser, then go through all your accounts changing your password. Let it generate long (20-30 character) unique passwords for EVERYTHING. It’s a painful process to go through, but definitely worth it. And when I say everything I mean everything. Not only for every website you use, but also every device you have inside your home network.
- Use an authenticator app on your phone (LastPass Authenticator, Google Authenticator, Microsoft Authenticator, Duo Mobile, etc) and set up 2FA (Two Factor Authentication) everywhere that supports it (LastPass, Google, FaceBook, Twitter, WordPress, Microsoft, Snapchat, Slack, Kickstarter, Dropbox, TeamViewer, 500px, EA are just some of the ones I have configured). Many sites don’t advertise they support 2FA, so go in to account settings for important sites and look.
- Stop using the same password on multiple devices or sites. Yes I am basically repeating myself, but this one is important. Most of the recent high publicity “hacks” over the last few years have been nothing more than password re-use.
- Sign up to https://haveibeenpwned.com/ using every single email account that you have (personal / work). It will email you if your account has been found in any account dumps. Some of these have passwords in plain text, hence the repeated emphasis throughout this post of using unique passwords via utilising a password manager and not re-using passwords.
- Assume someone has shared your home WiFi password to people you do not know. You’re not going to regularly check who’s on your WiFi. I don’t. Home devices don’t have automated alerts. So just assume it has happened and someone will connect occasionally who you haven’t authorised. This assumption is more about taking steps to protect yourself from automated viruses / malware rather than a targeted attack against you personally – and such things can come from anywhere, including friends with infected devices using your WiFi with or without your knowledge.
- Never configure any device with a guest / anonymous / default account. Even at home. Check them. Assume someone you don’t know is on your network, you don’t want them to connect to anything by defaults.
- Always make sure any personal data (banking, receipts, ID’s, personal data) are on a location on your computer that has been restricted to you and you alone. No other accounts on your computer, or from other systems. Just because it is on your computer doesn’t automatically make it safe.
- Regularly (every 6-12 months) look for firmware updates to devices. Set a calendar reminder. Look. Install. Your computer isn’t the only thing that gets updates. Your router, DVR, Smart TV, and any network-connected device will get them too. Update them.
- Backups. DO THEM! Buy a couple of large capacity USB HDD’s. Do semi-regular backups then store the drive away somewhere safe. Cryptolockers are big business at the moment. Disconnected drives are the only ones safe from a cryptolocker. Have multiple drives you can rotate so there’s always one good copy while another gets overwritten (I’ve had the drive I was backing up fail mid-backup, corrupting the location it was backing up to). Use post-it notes to keep the date of last backup clearly visible on the outside of the drives (plural, because you’re rotating them).
- Me personally, I do hourly backups to a NAS (Network Attached Storage), then quarterly backups to USB drives. I then store these USB drives at work. Safe from cryptolockers and a fire at home. I figure I can afford to lose up to 3 months of data before it hurts, and spending a few days copying data to drives every 3 months after a calendar reminder isn’t painful. I have all my data at home and at the office – one 0-3 months old the other 3-6 months old.
So the TL;DR summary is:
- If you use shared or public wifi regularly, buy a VPN product.
- Get a password manager. Go to the effort of changing ALL your passwords to be unique ones. Not only for websites, but also for devices on your network (router, modem, NAS, gaming devices, IoT things).
- Get an Authenticator app and set up 2FA everywhere that offers it (many don’t advertise so go in to account settings & look).
- Do not use default accounts.
- Sign up to Have I Been Pwned.
- Do regular backups. To multiple devices. Rotate them. Store them disconnected (offsite is better). Don’t let them get too old.