KRACK and ROCA: Are You Safe?

GEEK FREE
By Joe Callison
1 November 2017

In October we were hit with two particularly onerous public alerts about security threats known as KRACK and ROCA. KRACK is the WPA2 vulnerability, which potentially affects the security of anyone using wi-fi communications. ROCA is the encryption key vulnerability, which potentially affects anyone using devices or software that uses encryption keys generated from chips made by Infineon, which has about 30% of the market share for such security chips.  

Normally when a vulnerability is discovered, the affected manufacturer of the product is notified in advance of it going public to give them time to come up with a remedy before the public, including hackers, find out about it. For example, the public alert about KRACK was released on October 16, but Microsoft had already released a software update for the currently supported Windows versions on October 10 to address the vulnerability. Apple has fixes in beta testing that will be released soon for all Apple devices. Google is working on Android fixes, beginning with their own Pixel 2 phones.

As technology consumers, we want to know two things:
1.   Am I affected?
2.   If so, what should I do about it?

For the wi-fi vulnerability, I recommend referring to the Homeland Security site that is tracking the vulnerability and vendor responses in the link below. Click on Affected for the vendor of interest and there may be links to further information from the vendor or suggested remedies. If you do not see a response from the manufacturer on this site, I would try going directly to the manufacturer’s site to see if there is an announcement. There are also many internet sites that are reporting about the KRACK vulnerability, but they are not always updated when new information is released. The Security Alerts and Updates area of the SenCom website is a good place to start.
https://www.kb.cert.org/vuls/id/228519

If you have a Windows 7, 8.1, or 10 computer that shows the October updates from Microsoft in the Windows update history, then that computer is safe from the vulnerability.
If you have an Apple computer with macOS High Sierra, Sierra or El Capitan, or an iPhone or iPad with iOS11, security patches became available on October 31. Apple also released patches for other Apple devices that utilize wi-fi.
If you have an Android device, especially with Android version 6 (Marshmallow) or later, you are especially vulnerable and it may be some time before a solution is available for your device.
For devices at risk, the best advice is to avoid wi-fi as much as possible, especially public wi-fi. If you have a VPN service you trust, use it, but be aware that most of the free ones are not trustworthy.
When you do use wi-fi, only use HTTPS secure links on the internet. This will not stop someone from getting your transmitted data, but they will not be able to read it. They can, however, send malicious files to your device, print to your printer, or access other wi-fi connected appliances in your home if the router is vulnerable.
Both the router and the client device need to be vulnerable for someone to intercept information transmitted between them, so patching either the router software/firmware or the computer/device software/firmware will prevent the vulnerability.

For the encryption key vulnerability, I recommend referring to the Homeland Security site that is tracking the vulnerability and vendor responses in the link below. Click on the link of the affected vendor of interest for more information and remedies. Again, there are many internet sites that are reporting about the ROCA vulnerability, but they are not always updated when new information is released. The Security Alerts and Updates area of the SenCom website is also a good place to start.
https://www.kb.cert.org/vuls/id/307015

Not many of us are likely to have computer equipment with the affected Infineon chips, but millions will be affected indirectly in one way or another. The vulnerability can be present in cards of all types that have chip security using encryption keys that were generated by the Infineon chips. This could include credit cards, building security access cards, employee or health care ID cards, etc. Fake or malicious software can use security certificates made from hacked encryption keys to fool people into trusting to download and install them. Two-factor authentication devices such as the Yubikey 4 using encryption keys generated by the Infineon chips can be hacked.
Encryption keys with 1024-bit or less encryption are the most easily hacked. With 2048 bit or more encryption it becomes very expensive to hack, making it practical only for very high-value targets to be attacked.

Posted by Joe Callison

2 comments

Good Morning Joe:
I may not be able to attend them Techies meeting tomorrow (11-8). My question is this:I have been using Google Chrome for several years now. I download transactions from my bank and not had a problem with Chrome. Within the last couple months it appears to not be supporting anymore. I am noticing this on other sites as well. Is there a reason for this?

I suspect that the ability to download transactions required some plug-in or Java that is no longer allowed in Chrome. Firefox is also ending support for the legacy plug-ins. This was the subject of a recent blog on Firefox browser changes. The web sites your are having problems with should be using new WebExtensions, if required, which may not be available yet.
Another requirement for downloads is the acceptance of cookies. If a browser privacy change was recently made to block cookies, then it could cause the problem.
I recommend trying to find out what the bank’s browser requirements are for downloading transactions. You can also try other browsers just to see if the problem is only with Chrome.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.