Early this morning, news broke about a major security vulnerability in WPA2, the security the underpins nearly every single wireless network. The flaw was disclosed by security researcher Mathy Vanhoef rather than hackers, which means that every single device vendor spent this morning panic-pushing security updates to consumers.
The bad news? Your Wi-Fi network (and your devices) are almost certainly vulnerable. The good news, though, is that you can probably patch them right now.
First off, there’s good news for Windows and iOS users about KRACK: It doesn’t matter for you. Although the vulnerability is technically present, any realistic attack using KRACK against Windows or newer versions of iOS won’t work or doesn’t present a serious threat.
A Windows patch to fix the issue was released on October 10th, so anyone who’s updated their PC since then (or has auto-updates enabled) should be fine. “Customers who apply the update, or have automatic updates enabled, will be protected,” a Windows spokesperson said. “We continue to encourage customers to turn on automatic updates to help ensure they are protected.”
iOS 11 and macOS High Sierra both make the attack difficult to execute, according to researchers, so anyone running those operating systems should be fine. iOS 11 is already downloaded to nearly 50% of all Apple devices that are capable of running it, so Apple users are well on the way to being safe. If you want to check what version of iOS you’re running, just go to Settings–>General–>About, and look at Version. Any number starting with 11 means you’re fine.
Apple appears to have told some reporters that there’s a concrete fix coming, and it’s already present in beta versions of iOS:
The biggest problem for client devices (i.e. not routers or Wi-Fi access points) is Android. Researchers suggest that 41% of Android devices are vulnerable to an “exceptionally devastating” version of the attack, which allows attacks to insert fake websites into a network and collect sensitive information.
Google has said that its own Pixel devices will be the first to get a patch for the attack, and that will come on November 6th. Other manufacturers will likely push Android updates to fix the flaw sometime after Google, but given the number of Android devices still being used that won’t get a security update, old Android devices are likely to be the weakest link.
Finally, some network equipment manufacturers have already pushed updates to fix the flaw. ZDNet has a list of all vendors that have issued a patch so far, but the list is largely made up of commerical-grade manufacturers like Cisco and Ubiquiti. It’s worth checking if your router has a firmware update available yet, but for now, your best bet is to make sure all of your client devices are patched and safe, and as ever, be careful about using public Wi-Fi networks that you’re unsure about.