Australians are being urged to update all internet-connected devices and routers as quickly as possible, as tech giants and governments scramble to patch a serious vulnerability in wi-fi security.
KRACK is a method of hacking into WPA2, the security protocol used by all modern wi-fi networks, and was revealed last week by a Belgian security researcher. A hacker has to be in close proximity to the wi-fi network for it to work, and the vulnerability can easily be mitigated by security upgrades.
A number of vendors have already released patches, including Apple, Microsoft, Netgear and Raspberry Pi.
Minister Assisting the Prime Minister for Cyber Security Dan Tehan confirmed the government’s Australian Cyber Security Centre (ACSC) is investigating the wi-fi issue.
“The ACSC is investigating and will provide further advice as required. The government’s advice to individuals and organisations is patch or update your software and applications when new versions become available and to follow the ASD’s Essential Eight to improve cyber security,” Tehan said.
The ASCS also recommended that Australians use a VPN to add another layer of encryption to their internet browsing, avoid using public wi-fi for sensitive transactions and to regularly back up information to a removeable device or cloud service.
Vendors were notified of the vulnerability months before it was revealed publicly, and many have already released patches protecting from it.
Microsoft confirmed that its fix was included in its regular Tuesday updates on 10 October.
“Customers who have Window Update enabled and applied and the security updates are protected automatically. We updated to protect customers as soon as possible, but as a responsible industry partner, we withheld disclosure until other vendors could develop and release updates,” a Microsoft spokesperson said.
Apple also quickly pushed out a patch, but this is currently only available to those that download public betas for iOS, watchOS, tvOS and macOS. The patch will be included with other bug fixes in an upcoming update.
“Apple is deeply committed to protecting our customers’ data. The fix for the KRACK wi-fi vulnerability is currently in the betas of iOS, macOS, watchOS and tvOS and will soon be rolled out to customers,” an Apple spokesperson.
Google has also said that its 6 November security patch will fix the issue.
The KRACK attack works by tricking the ‘handshake’ that takes place when a device wants to connect to a protected wi-fi network. The technique dupes it into reusing an old encryption key, meaning the hacker can then read all the data that is passed between the networks.
“Attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted. This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos and so on,” said Mathy Vanhoef, the researcher that uncovered the vulnerability.
The attack’s strength is mitigated by the fact the hacker needs to be in close proximity to the wi-fi network to access it, and many of the most sensitive web browsing is done with HTTPS encryption over the top of it.
But many experts have raised concerns with how vulnerable Internet of Things devices will be to the attack, due to difficulties in installing the necessary security patch.
“For the general sphere of IoT devices, like security cameras, we’re not just underwater. We’re under quicksand under water,” University of Michigan computer scientist Kevin Fu told Wired.
“We’re probably still going to find vulnerable devices 20 years from now,” Atredis Partners network security researcher HD Moore added.