Tips to Secure Your Network and Reduce The Chance of Being Hit By KRACK
A vulnerability has recently been discovered named KRACK. It targets the link between your device and the Wi-Fi access point, i.e. a router either in your home or office. The following tips can help to improve the security of your connection.
See the summary below for a quick overview of details to do with the KRACK attack:
- A flaw in the WPA2 wireless handshake protocol allows attackers to sniff or manipulate the traffic between your device and the Wi-Fi access point
- It is particularly bad for Linux and Android devices, due either to ambiguous wording in the WPA2 standard or to misunderstanding during its implementation. Effectively, until the underlying OS is patched, the vulnerability allows attackers to force all wireless traffic to happen without any encryption at all
- This vulnerability can be patched on the client, so the sky hasn’t fallen and the WPA2 wireless encryption standard is not obsoleted in the same sense that the WEP standard is (do NOT “fix” this problem by switching to WEP)
- Most popular Linux distributions are already shipping updates that fix this vulnerability on the client, so apply your updates dutifully
- Android have shipped fixes for this vulnerability. If your device has not received such updates, then this particular vulnerability is merely another reason why you should stop using old, unsupported Android devices
Wi-Fi as an Untrusted Infrastructure
If you’re reading this article from your mobile device, the chain of communication will look something like this:
The KRACK attack targets the link between your device and the Wi-Fi access point, which is probably a router either in your home, your office, your neighbourhood library, or your favourite cafe. The following illustration displays at what point the KRACK attack happens.
In reality, this diagram should look something like this:
Wi-Fi is merely the first link in a long chain of communication happening over channels that we should not trust. At a guess, the Wi-Fi router that you use has probably not received a security update since the day it was built. To add to that point, it could quite possibly still be configured with easily hackable default credentials that have never changed. Unless you set up and configured that router yourself and you can remember the last time you updated its firmware, you should assume that it is now controlled by someone else and cannot be trusted.
Thankfully, we have a solution to the problem of secure communication over untrusted medium, and we use it every day -- the HTTPS protocol encrypts our Internet traffic point-to-point and ensures that we can trust that the sites we communicate with are who they say they are.
The Linux Foundation initiatives like Let’s Encrypt make it easy for site owners worldwide to offer end-to-end encryption that helps ensure that any compromised equipment between our personal devices and the websites we are trying to access does not matter.
DNS remains a problem
Even if we dutifully use HTTPS to create a trusted communication channel, there is still a chance that an attacker with access to our Wi-Fi router or someone who can alter our Wi-Fi traffic -- as is the case with KRACK -- can trick us into communicating with the wrong website. They can do so by taking advantage of the fact that we still greatly rely on DNS -- an unencrypted, easily spoofed protocol from the 1980s.
DNS is a system that translates human-friendly domain names like “satisnet.co.uk” into IP addresses that computers can use to communicate with each other. To translate a domain name into an IP address, the computer would query the resolver software -- usually running on the Wi-Fi router or on the system itself. The resolver would then query a distributed network of “root” nameservers to figure out which system on the Internet has what is called “authoritative” information about what IP address corresponds to “satisnet.co.uk” domain name.
The trouble is, all this communication happens over unauthenticated, easily spoofable, cleartext protocols, and responses can be easily altered by attackers to make the query return incorrect data. If someone manages to spoof a DNS query and return the wrong IP address, they can manipulate where our system ends up sending the HTTP request.
Fortunately, HTTPS has a lot of built-in protection to make sure that it is not easy for someone to pretend to be another site. The TLS certificate on the malicious server must match the DNS name you are requesting -- and be issued by a reputable Certificate Authority recognized by your browser. If that is not the case, the browser will show a big warning that the host you are trying to communicate with is not who they say they are. If you see such warning, please be extremely cautious before choosing to override it, as you could be giving away your secrets to people who will use them against you.
If the attackers have full control of the router, they can prevent your connection from using HTTPS in the first place, by intercepting the response from the server that instructs your browser to set up a secure connection (this is called “the SSL strip attack”). To help protect you from this attack, sites may add a special response header telling your browser to always use HTTPS when communicating with them in the future, but this only works after your first visit. For some very popular sites, browsers now include a hardcoded list of domains that should always be accessed over HTTPS even on the first visit.
The solution to DNS spoofing exists and is called DNSSEC, but it has seen very slow adoption due to important hurdles -- real and perceived. Until DNSSEC is used universally, we must assume that DNS information we receive cannot be fully trusted.
Use VPN to solve the last-mile security problem
So, if you cannot trust Wi-Fi -- and/or the wireless router -- what can be done to ensure the integrity of the “last-mile” communication, the one that happens between your device and the Internet at large?
One acceptable solution is to use a reputable VPN provider that will establish a secure communication link between your system and their infrastructure. The hope here is that they pay closer attention to security than your router vendor and your immediate Internet provider, so they are in a better position to assure that your traffic is protected from being sniffed or spoofed by malicious parties. Using VPN on all your workstations and mobile devices ensures that vulnerabilities like KRACK attacks or insecure routers do not affect the integrity of your communication with the outside world.
The important caveat here is that when choosing a VPN provider you must be reasonably assured of their trustworthiness; otherwise, you’re simply trading one set of malicious actors for another. Stay far away from anything offering “free VPN,” as they are probably making money by spying on you and selling your traffic to marketing firms. This site is a good resource that would allow you to compare various VPN providers to see how they stack against each other.
Not all of your devices need to have VPN installed on them, but the ones that you use daily to access sites with your private personal information -- and especially anything with access to your money and your identity (government, banking sites, social networking, etc.) must be secured. VPN is not a cure-all against all network-level vulnerabilities, but it will definitely help protect you when you’re stuck using unsecured Wi-Fi at the airport, or the next time a KRACK-like vulnerability is discovered.