First, and getting the most attention: A security flaw dubbed “KRACK” (Key Reinstallation Attack) affects most modern devices that connect to the Internet via Wi-Fi. Discovered by Belgian researchers, KRACK is a shortcoming in WPA2 (Wi-Fi Protected Access version 2), the standard protocol for secure wireless connection. It would allow a hacker situated in the vicinity of a wireless device to intercept its communications with the Internet and decipher them.
The good news is that the hacker must be near your device. So, the chance that you could be subject to such an attack at home or in a business’s office (other than a shared workspace) is quite slim. Hackers are more likely to go after specific targets or to situate themselves in target-rich locations like libraries, cafés, hotel lobbies, and other locations where many users would be connected to WiFi at once.
The vulnerability rests not on the wireless access point (the network router or modem), but on the devices connected to it — your computer, smartwatch, smartphone, wireless printer, NEST devices, Amazon Echo, Google Home, Net-connected television, and everything else that connects to the Internet. As security updates to the software of these devices become available, they should be installed promptly.
Some systems will update automatically when the manufacturers “push” out the security patch. Others will notify you when an update or patch is available. Most likely, you will be asked to update the operating system — Windows, MacOS, iOS, Android, etc. (Apple’s iOS and MacOS are considered somewhat less vulnerable, as is Microsoft Windows. More vulnerable: Android, Linux, some other systems.)
- Make sure the operating systems of your devices are updated. When you are notified that an update is ready, install it without delay. (The status of such updates for many manufacturers is listed at the bottom of this article. Some already fixed the problem as early as July 2017.)
- Limit your activity on public Wi-Fi networks, particularly in locations where many people are connected simultaneously (a target-rich environment for hackers). In particular, avoid conducting secure communications such as banking, or anything requiring logging in to a site or service with a password.
- Consider turning off Wi-Fi on your smartphone when not connected to your home or (unshared) office network. Your cellular company’s data uses different encryption protocols than WPA2, and is not subject to the same vulnerability.
- I have previously recommended using Signal by Open Whisper Systems (recommended by Edward Snowden!) for encrypting texting; Signal also now offers reasonable quality encrypted voice calling, and various extras like the option to set text messages to disappear after a time period you specify.
- If you must have secure Web communications, install Virtual Private Network (VPN) software, which applies its own encryption to all data transmitted over Wi-Fi. Even if someone intercepts your signal and uses the KRACK hack to break WPA2’s encryption, all they’ll get is unreadable data scrambled by the VPN’s encryption. VPN apps are available for various computers and smartphones. I have a VPN on both my Mac laptop and my Android phone. For a basic primer on what VPN is, see VPN for Beginners. For ratings of some VPN services on a 5-point scale, see The Best VPN Services of 2017 from c|net. VPN may slow you down a bit as it launches, and some VPN services have slow data transmission because they’ve been overwhelmed with new clients since the current Administration was inaugurated in Washington as activists and plain old citizens became concerned about the risk of greater government intrusion into their private communications. Many VPN services can also be set to disguise your location, too. (Right now, the Internet thinks I’m connecting from a spot several thousand miles away from my actual location.)
A second security flaw announced Monday, ROCA (Return of Coppersmith’s Attack), is dubbed “worse than KRACK” by some writers. This flaw affects encryption in critical applications, such as for national identity cards, software “signing” (by which the genuineness and security of software is confirmed), digital-signature documents, and protections for government and corporate computers.
You may have heard of “public-private key encryption.” This is a schema whereby data is encrypted using two “keys,” or strings of data. One is public, and one is private. If I send you a message, I encrypt it using your public key. You then decrypt it using your private key. This is secure only if a person’s public key can’t be used to figure out that person’s private key, which was believed to be the case — until ROCA, which enables an attacker to figure out your private key from your public key.
Versions of public-private key encryption are used in many protocols for secure Internet communications.
What you can do (the second and third of these are fairly technical; if you don’t understand them, they probably don’t apply to you):
- If you are asked by the issuer to replace a chip card (such as a credit card or secure ID card) or another device that uses encryption, do so promptly.
- If you have set up your own public-private keyset, using software like PGP or GPG, test your public key to determine whether it’s vulnerable. If it is, expire that key and create a new key, then share it with everyone who has your old key. (“Keys generated with OpenSSL, PGP-compliant programs, and other similar programs aren’t affected by ROCA. However, those that rely on embedded chips or smart cards for cryptographic functions may be vulnerable,” according to WCCFtech. GPG is PGP-compliant.)
- Counterintuitively, it appears that 3072-bit keys are harder to crack than the longer 4096-bit keys. If creating a new key, keep this in mind. However, you may want to do your own research before you choose a key size; it’s possible the advice regarding ROCA will evolve over the coming days, as this is new information in the public realm.
Although these security flaws hit the technical press on Black Monday, neither is really a new discovery. The paper outlining KRACK was submitted for peer review in mid-May, and vendors were warned at that time. The ROCA vulnerability, found in chips manufactured starting in 2012, was discovered in January 2017, and reported to chipmaker Infineon, maker of the Trusted Platform Module (TPM) security chip containing the flaw, on Feb. 1. The TPM is used in business-class HP, Lenovo, and Fijitsu computers, as well as Google Chromebooks, routers, and “Internet of Things” devices (such as home controllers and security systems that can be monitored online).
So why are we just learning of these today? For one thing, the researchers who discovered these flaws wanted to give manufacturers a head-start in fixing the problems before hackers learned the details.
Why today, then? I can only speculate. It may be that these are being publicized now to prod companies to get moving on solutions; after all, it seems they’ve had plenty of time by now, and have not done much, as a group. Perhaps the release is intended to create “buzz” before researchers present their findings at a computer security conference Nov. 1–2.
We are in a brave new world. The advent of e-mail brought with it the scourge of spam. The World Wide Web brought phishing sites — Web sites that pose as log-in portals of banks and other vendors to dupe you into entering your passwords. The last year or so has brought a third wave — hacking of major institutions, such as the stealing of information from all Yahoo user accounts. Now, deeply embedded security protocols are at risk.
We have a choice to make: Accept the convenience and, sometimes, necessity of maintaining sensitive information in digital venues that can be hacked, or store them offline — on paper or on devices that aren’t connected to the Internet. If we choose the former (and most of us will), we need to become more knowledgeable about online security and act accordingly. There is no such thing as absolute security. KRACK and ROCA make that abundantly clear.
Pink fading interrobang image © 2017 Steve Freedkin/Your Attention, Please! communications. New/Not New image based on public domain image.
Other images are in the public domain.