You might have heard some doom-and-gloom news this morning: a researcher has finally figured out how to compromise the WPA2 encryption algorithm, the world's most popular WiFi encryption and almost everyone is vulnerable.
There is however, no reason to panic. It's patchable, the scripts to exploit devices are not in the wild, and many devices have already received updates. You'll probably hear a lot over the next few days that WiFi is "broken beyond repair" but it's not entirely true.
Called "Krack attacks" the new exploit affects the WiFi standard itself and allows an unauthenticated attacker to steal data from your network. It's not an easy hack, but it's one of particular concern because we can't just switch away from WPA2 like the last time when WEP was compromised and we all ran away.
Yes, this is bad... but the good news is it's also entirely addressable as per the FAQ:
Do we now need WPA3?
No, luckily implementations can be patched in a backwards-compatible manner. This means a patched client can still communicate with an unpatched access point, and vice versa. In other words, a patched client or access points sends exactly the same handshake messages as before, and at exactly the same moments in time. However, the security updates will assure a key is only installed once, preventing our attacks. So again, update all your devices once security updates are available.
Behold, a video demonstrating how this affects an Android device in the wild which are the most widely/adversely affected mobile devices:
The implications of this new attack are pretty scary sounding, and the news is still developing but a few things are fairly clear:
- Almost every mobile/desktop device on the planet is affected and needs patching
- Fixing IOT devices and Android devices which rarely see updates anyway is going to be difficult at best
- Your router will need a software update at some point
- Nobody will know how to update their router, or how to check if it's patched
If you're looking for an explanation of how this attack works, why it evaded detection for so long and even more detail you can find it here. Looking for someone to blame? Here's where to look, according to the same article:
If you’re looking for someone to blame, a good place to start is the IEEE. To be clear, I’m not referring to the (talented) engineers who designed 802.11i — they did a pretty good job under the circumstances. Instead, blame IEEE as an institution.
The long short of all of this is: you're definitely affected in some way, it just depends on which devices you use as to how to protect yourself. The most important thing to do is check if all of your devices can be patched immediately: not just your router, but whatever you're using to get online too.
To be clear, however, the reason this matters is because the data transmitted by any of your devices could now be exposed and attackers don't need to be on the same network as you. Just patching your router won't get you out of trouble, sadly.
Looks like router fixes aren't for the main issue. They're pushing fixes for the other issues in the paper. The critical one is a client patch.
— Graham Spookyland 🎃 (@gsuberland) October 16, 2017
I thought I'd try keep track of the first companies to push fixes out for this on both the router side and the client side.
Below you'll find a manually-updated list of every patched system I've found so far. Say hey in the comments if there's anything new not listed here, or if there's an obvious error.
Firmware patch status
|macOS||⚠️||macOS 10.13.1 (beta only — available to developers)|
|Windows||✅||Windows 7, 8, 8.1, 10|
|Linux||✅||Ubuntu 14.04+, Arch, OpenBSD, Debian, Gentoo, Linux upstream|
|ChromeOS||✅||Resolved in v62|
|Intel chipsets||✅||Firmware updates for various chipsets|
|Raspberry Pi||⚠️||Jessian, Stretch fixed. Wheezy and others by October 17.|
|Android||⚠️||Fixed at patch level "November 6, 2017." Rolls out soon to Pixel + Nexus.|
|Lineage OS||✅||Fixes merged, rolling out in next weekly release.|
|Samsung||⚠️||Modern Samsung devices receive Google security patches, but older ones don't. No comment on those.|
|iOS||✅||iOS 11.1 resolves the issue.|
|Google WiFi||❌||Google says a fix will roll out "soon"|
|Apple Airport||❌||Apple has not responded to requests for comment. (Update October 31: Still no comment)|
|Netgear||⚠️||No release available, but due "soon."|
|UniFi||✅||Firmware 3.9.3 resolves the issue.|
|Microtik||✅||RouterOS v6.39.3, v6.40.4, v6.41rc and up.|
|LEDE||⚠️||Fix available in nightly builds.|
|Eero||⚠️||eerOS 3.5 and up.|
|AVM||❌||Aware of issue but won't update unless "necessary."|
|DD-WRT||✅||Fixed in core, waiting for builds.|
|Meraki||✅||Fixed with Meraki 24.11 and 25.7.|
|Aruba||✅||Updates available across Aruba hardware.|
|FortiNet||✅||FortiAP 5.6.1 and up fix the issue.|
|Cisco||✅||Updates available across Cisco hardware.|
|TP Link||❌||The company doesn't know if it's affected.|
|KPN (NL)||❌||Statement released with no fix information.|
|Nest||❌||Reportedly Nest is telling customers their devices aren't affected.|
|Sonos||❌||No response to queries.|
|Amazon||❌||"In the process of reviewing devices." No fix issued for Echo etc.|
|Belkin||❌||"Aware of the issue" but no fix for Wemo/Linksys devices.|
✅ = Available for download and patched.
⚠️ = Fix pending release or in beta.
❌ = No known fix
There's also an exhaustive (kind of hard to read) list available here, on the CERT website addressing the vulnerability.
If you find any other companies with fixes out already, let me know in the comments or on Twitter.
If you want help with your security in general there are some fantastic instructions here on how to protect yourself.
Last update: 01:23 PM Oct 31 (ET) — Added Apple's announcement about iOS 11, ChromeOS.
08:47 AM Oct 17 (ET): Reformatted as table for readability, added Sonos + Nest along with other major IOT vendors.
Update: 07:05 AM Oct 16: Added information about Raspberry Pi.
Update: 01:40 AM Oct 16: Added information about iOS updates, Eero and major IOT vendors.