It’s only four days since we were blessed with news of the KRACK vulnerability in WPA2, so what have we learned now that we’ve had some time to dig into the problem?
Patching Infrastructure (Access Points)
In terms of patching wireless access points the good news is that most of the enterprise vendors at least are on the ball and have either released patches, have them in testing, or have at least promised them in the near future. While one of the primary victims of KRACK in these devices is 802.11r (Fast Roaming) which is not likely to be used in most home environments, it’s more common to see repeater or mesh functionality in the home, and because the AP acts as a wireless client in these cases, it is susceptible to the vulnerability. So if you just have a single AP in the home, chances are that updating the firmware because of KRACK is not that urgent. That’s probably a good thing given the number of wireless access points embedded in routers managed by internet providers, running on old and unsupported hardware, or created by vendors who are no longer in business.
The clients are where the rubber hits the road. Bearing in mind that KRACK is a vulnerability in the client-side implementation of WPA2, all clients need to be updated.
Looking at a typical home, where are the wireless clients located? In a typical home we may find things like:
- Computer laptops (both Windows and Mac)
- Smart mobile phones (Android, iOS, Windows Phone) / Smart Watches
- Sony Playstation, Nintendo Wii/U/Switch/3DS/2DS/DSi, Microsoft Xbox
- Nest (or other connected) thermostat
- Roku / ChromeCast / TiVo
- AppleTV / Apple Airport Express
- Phillips Hue bridge
- WEMO switches
- Printer/fax/scanner with wireless connectivity
- Amazon Echo / Sonos / and similar
- and more…
All of these clients need to be updated in order to be protected from the KRACK vulnerability. I’m going to hazard a guess that in the typical home, fewer than half of the devices either can be or will be updated. Is this a crisis?
Unfortunately, I don’t believe there’s a good answer to that question. Ideally we would all want to be protected; in particular, I would prioritize updating and protecting the devices I use the most every day. Anything that remains unpatched remains vulnerable but then again, there is an argument to be made that chances are nobody cares about what you have on your network, so the chances of somebody trying to hack your WPA2 sessions are pretty slim. That said, if and when attack implementations software become widely available–and it’s inevitable that they will eventually–such that any bored script kiddie can start hacking their next door neighbor’s wireless, maybe that laissez-faire attitude to upgrading software might come back to bite you.
My 2 Bits
Find updates. Install updates. Figure out everything connecting to your network, and hunt down patches for all of them. It’s a huge pain but, at the end of the day I believe it’s worth it.