By Joe Callison
1 November, 2017
In October we were hit with two particularly onerous public alerts about security threats known as KRACK and ROCA. KRACK is the WPA2 vulnerability, which potentially affects the security of anyone using wi-fi communications. ROCA is the encryption key vulnerability, which potentially affects anyone using devices or software that uses encryption keys generated from chips made by Infineon, which has about 30% of the market share for such security chips.
Normally when vulnerability is discovered, the affected manufacturer of the product is notified in advance of it going public to give them time to come up with a remedy before the public, including hackers, find out about it. For example, the public alert about KRACK was released on October 16, but Microsoft had already released a software update for the currently supported Windows versions on October 10 to address the vulnerability. Apple has fixes in beta testing that will be released soon for all Apple devices. Google is working on Android fixes, beginning with their own Pixel 2 phones.
As technology consumers, we want to know two things:
1. Am I affected?
2. If so, what should I do about it?
For the wi-fi vulnerability, I recommend referring to the Homeland Security site that is tracking the vulnerability and vendor responses in the link below. Click on Affected for the vendor of interest and there may be links to further information from the vendor or suggested remedies. If you do not see a response from the manufacturer on this site, I would try going directly to the manufacturer’s site to see if there is an announcement. There are also many internet sites that are reporting about the KRACK vulnerability, but they are not always updated when new information is released. The Security Alerts and Updates area of the SenCom web site is a good place to start.
If you have a Windows 7, 8.1 or 10 computer that shows the October updates from Microsoft in the Windows update history, then that computer is safe from the vulnerability.
If you have an Apple computer with macOS High Sierra, Sierra or El Capitan or an iphone or ipad with iOS11, security patches became available on October 31. Apple also released patches for other Apple devices that utilize wi-fi.
If you have an Android device, especially with Android version 6 (Marshmallow) or later, you are especially vulnerable and it may be some time before a solution is available for your device.
For devices at risk, the best advice is to avoid wi-fi as much as possible, especially public wi-fi. If you have a VPN service you trust, use it, but be aware that most of the free ones are not trustworthy.
When you do use wi-fi, only use https secure links on the internet. This will not stop someone from getting your transmitted data, but they will not be able to read it. They can, however, send malicious files to your device, print to your printer, or access other wi-fi connected appliances in your home if the router is vulnerable.
Both the router and the client device need to be vulnerable for someone to intercept information transmitted between them, so patching either the router software/firmware or the computer/device software/firmware will prevent the vulnerability.
For the encryption key vulnerability, I recommend referring to the Homeland Security site that is tracking the vulnerability and vendor responses in the link below. Click on the link of the affected vendor of interest for more information and remedies. Again, there are many internet sites that are reporting about the ROCA vulnerability, but they are not always updated when new information is released. The Security Alerts and Updates area of the SenCom web site is also a good place to start.
Not many of us are likely to have computer equipment with the affected Infineon chips, but millions will be affected indirectly one way or another. The vulnerability can be present in cards of all types that have chip security using encryption keys that were generated by the Infineon chips. This could include credit cards, building security access cards, employee or health care ID cards, etc. Fake or malicious software can use security certificates made from hacked encryption keys to fool people into trusting to download and install them. Two-factor authentication devices such as the Yubikey 4 using encryption keys generated by the Infineon chips can be hacked.
Encryption keys with 1024 bit or less encryption are the most easily hacked. With 2048 bit or more encryption it becomes very expensive to hack, making it practical only for very high value targets to be attacked.