(678) 222-0555

How to Protect Yourself from Krack

How to Protect Yourself from Krack

 

Most likely you have heard of the major vulnerability in Wi-Fi connections called KRACK. Using only a computer within range of a network and a computer program, an attacker can eavesdrop on a password protected Wi-Fi network. This program also can disable HTTPS encryption on some improperly configured websites. The attack is seamless and you would notice no difference when connecting to the network, but in fact you would be connecting to a rogue access point with the ability to read some of your data. Nearly all devices with Wi-Fi connectivity have been affected by this at some point and many are patching it.

A lot of information that you access on the internet uses an unencrypted (plaintext) protocol called HTTP. In other words, anyone can read it if they want to. This isn’t necessarily bad because it’s unlikely that unencrypted data is sensitive. The true danger here is the websites that are improperly configured for HTTPS, an encrypted variant of HTTP that protects your data from eavesdropping. It’s possible that an attacker could take advantage of a weakness and force a target computer on the rogue network to not use encryption when they need to be protecting their data over the wire (or air in this case). Not all websites using HTTPS are vulnerable and you can rest assured that you are unlikely to encounter this issue. However, proper precautions can be observed to mitigate the risks.

What can you do about this?

  • Be especially careful when using Wi-Fi in public places. Possible targets for this attack could be a coffee shop, airport, hotel, or any other place with public Wi-Fi.
  • If you must use public Wi-Fi, be cautious when logging into any accounts, especially financial and email accounts. Although most of these websites are not vulnerable to the HTTPS attack, if you log into a less sensitive account (match.com as an example of a vulnerable site) and your username and password are the same as your bank account, an attacker can use this information to compromise your bank account.
  • If you must log into an account, consider using a personal hotspot instead.
  • Always verify that the website you are about to log into is using HTTPS and has the proper domain name by checking the URL bar at the top of the browser:

https://www.match.com (encrypted) NOT http://www.match.com (unencrypted) OR https://www.mathc.com (likely a phishing website even if it has HTTPS)

  • Contact your IT department about this issue. Some devices can be patched manually or will receive a patch automatically that can mitigate this issue.

 

Posted by Nakai Zemer

References:

Mathy Vanhoef. Key Reinstallation Attacks, Breaking WPA2 by Forcing Nonce Reuse

[https://www.krackattacks.com]

Accessed October 20, 2017.

 

Meggie Woodfield. November 26, 2014. Should I Buy from This Site? How to Know if a Website is Secure

[https://www.digicert.com/blog/buy-site-know-website-secure/]

Accessed October 20, 2017.