You shouldn't be too worried about Krack. But you also probably shouldn't use public Wi-Fi for a while.
"Whilst Krack adds a new tool to the attacker’s arsenal, its scope is relatively narrow," says Andy Patel, a security researcher at F-Secure's research labs. "However, if tools designed to weaponise this attack are made sufficiently easy to use, it’s very likely that miscreants will use them anyway."
The academics who uncovered the Wi-Fi security vulnerability revealed how the WPA2 standard used across almost all Wi-Fi devices can be exploited to read messages, banking information and intercept sensitive files. However, to do so they say a hacker must be near to the wireless connection point and the website mustn't be properly encrypting user data.
While nobody has seen Krack used outside of research conditions, it is possible. A top target for hackers could be public Wi-Fi. Unlike your network at home, these Wi-Fi access points aren't usually as well secured to start with. Patel describes them as being "fundamentally insecure".
Shopping centres, airports, hotels, public transport and coffee shops all see tens to hundreds of people connecting to the same Wi-Fi access points. It's a prime hunting ground for anyone trying to intercept personal information.
In the UK, the most popular public Wi-Fi system is provided by Sky. The Cloud, which is technically a separate company, has four million users per week and more than 20,000 Wi-Fi hotspots around the UK. Most public places with free Wi-Fi will be provided by this system: including most restaurants and coffee shops.
To be part of The Cloud, pubs, hotels, and other companies must be paying Sky customers. The terms and agreements for pubs says that Sky will provide an Edge router that can act as a hotspot. Business networks could also be exploited by Krack, with lots of users all connecting to one Wi-Fi access point.
So, what can be done? Both public spaces and offices running Wi-Fi routers and hardware need to update their systems. When contacted about Krack and Sky's routers, the company said it was working out whether a fix was required for any of its products. A spokesperson added the firm would let customers know if any action was required. If and when an update is ready, it will be pushed out automatically.
The same updating advice applies to consumers and it is a good time for people to improve general cybersecurity practices. Mobile phones and tablets need to be updated to the latest software, when updates have been made available by manufacturers.
In addition, Patel says when using public Wi-Fi a virtual private network (VPN) should be used at all times. The Cloud's own website "recommends" using a VPN for extra security on public Wi-Fi connections.
For home routers, BT and Virgin both said they were aware of Krack and were looking at whether their devices need updating. TalkTalk did not respond to a request for comment at the time of publication but has since said it is looking at whether its devices need updates.
Elsewhere, a slew of major manufacturers have already started issuing updates or working on fixes for the Wi-Fi vulnerability. Apple says it has a fix in beta for iOS, MacOs, and its TV and Watch operating systems and it will be included in a general update in the coming weeks. Microsoft says it released its fixes on October 10 in the latest Windows Update, and Google says it will issue a fix in "the coming weeks".
Elsewhere, networking company Cisco has issued a security advisory detailing which of its products are affected, Intel has done the same, and the Wi-Fi Alliance has issued new guidance.
This article has been updated to include comment from TalkTalk
This article was originally published by WIRED UK
