Kracks in the WiFi Wall

Earlier this fall, news broke that researchers had discovered a flaw in the most popular type of encryption used to protect WiFi networks, WPA and WPA2.  The flaw was dubbed the Krack virus by the media, but that is a bit of a misleading term, as the issue is really a bug in the way the encryption works and this flaw can show up on almost any device or WiFi networking equipment that uses one of the WPA standards for network access.  The technical details are available in great detail on the researchers’ website, but the average user probably does not need to know all the background to solve the problem.  So, just what is Krack and how does it apply to your devices?  What does it all mean for security in the modern, connected home?  Below are some tips on how to check if you are covered from this flaw, as well as some general networking best practices.

First, the good news is, if you have your devices set to do automatic updates, which you should, then it is very likely this is old news to you in terms of what you need to do to make most of your devices safe.  I say most since not all devices do automatic updates, so the first thing you want to do is check to make sure yours do indeed complete updates on their own.  Now, you may be thinking OK, I checked my computer and my phone, so all is OK.  That would be the first mistake many users make when addressing Krack.  Since the Krack bug impacts how a WiFi router recognizes authorized users and how it sends encrypted data to those users, you need to look at everything that is connected to your WiFi router.  That means starting with the actual router.  If you had someone else set-up your WiFi or you did it yourself, but long ago, you may want to dust off any paperwork that came with it or look for more information on the manufacturer’s website.  All routers should have a dedicated, private IP address you can use to access the configuration page.  This number will look something like 198.162.1.1 – this can only be accessed by a device on the network and not the internet, since it is a private address.  You would type the number into a browser’s address bar and then log on with the administrator user name and password.  Hopefully you changed the default password when you set the router up, but if you didn’t and forgot it or need to look it or the IP address up, do an internet search for the router model and the words default address or default administrator and you will find them.  Again, the manufacturer’s website likely has this listed somewhere.  In most cases, once you log onto the router’s configuration screen, you want to look for someplace that list maintenance or updates to see if the router is set to do automatic updates.  If not, it is a good idea to turn them on.  If this is not an option, see if there is a link to check for a firmware update and click that to do an update.  Much older routers may not even have that and you would need to look to see if an update can be downloaded to your computer from the manufacturer’s website.

Once you have the router squared away, take time to stop and think about all the other devices in your home that connect to the internet.  Now is a really good time to do an inventory to keep on hand, since you really should have one and be diligent about making sure all the devices are updated on a regular basis.  Aside from your phone and computer, check any tablets, game consoles, DVD or Blu-Ray players, home media servers, connected music players, personal assistants/speakers such as Echo, WiFi enabled cameras, home security or surveillance systems, SmartTVs, thermostats, light bulbs, other SmartHome devices, and yes, appliances.  Basically, you want to look for anything that needs to connect to the internet for any reason since it is likely doing so via WPA or WPA2.  The easiest way to check is to do a search for Krack and/or the model number on the manufacturer’s website.  They will tell you if the device is impacted and, if so, how to patch it with firmware or a change in settings.

Keep in mind that not all devices will have patches available for them, either due to age or the inability to easily patch them.  Wired ran an in-depth article about how difficult it will be to patch devices that are on the market today or are legacy devices that are still in use despite being off the market for many years.  The whole issue, the article notes, exposes the security concerns brought on by the internet of things, the presence of many unmonitored devices we connect to the networks in our homes and office every day.  Devices such as those lightbulbs and appliances that report in just to update you on their general status or to listen for a voice command to dim them can often be overlooked when we think of what may be connecting to the outside world from our living room.  While there is likely no reason to worry about some sort of Hollywood-scripted take-over of toasters to cause chaos in our lives, it is best to do your due diligence and keep up to date on any patches you need to apply to those devices too.

- Laura, Information Technology