Update on this post: We rolled-out a preventative patch to our pod firmware to all customers. More details can be found in the Plume Software Release Notes.
KU Leuven researcher Mathy Vanhoef publicly disclosed his discovery of a pervasive WiFi security vulnerability on Monday, 16 Oct 2017. The “Key Reinstallation Attack” (nick-named “KRACK”) targets the secured wireless links between wireless routers and client devices by exploiting a weakness in the implementation of the WPA2 security protocol.
We’ll dive into some of the details about what WPA2 is and how the KRACK works below. We want to clearly outline how your HomePass network and household devices could be affected.
In short, we rolled-out a preventative patch to our pod firmware into our beta environment today to improve your network security. As soon as the beta testing is completed, we will roll it out to all customers. This addresses the network portion of the risk.
Your smartphones, laptops, and almost all other devices will require their own updates. We make some suggestions below about best-practice precautions when using the internet to keep yourself secure.
IT TAKES TWO
When a wireless network link is formed, one side of that connection is the access point (or “AP”), and the other side is the client (called a “station,” or “STA”). The AP and the STA exchange encryption keys with a process called the “4-way handshake,” which lets them communicate securely with each other even if an attacker listens in. All Plume networks automatically use the most secure form of WiFi encryption, called WPA2-CCMP with AES.
Vanhoef’s collection of KRACK exploits require an attacker to be within physical range of the network to wirelessly intercept the 4-way handshake. This attack has several variants; they all basically open a chink in the encryption armor. Through some tricks by which an attacker acts as a middle-man between the AP and the STA, it can attempt to break the encryption on some of the transmitted wireless traffic.
NO POD VULNERABILITY
One of the attacks attempts to hijack your wireless connection when your client device roams from one pod to another. Your pod firmware is not susceptible to this attack. Nothing to worry about here.
Two important software libraries commonly used in APs and STAs, hostapd and wpa_supplicant, have new patches to address the KRACK vulnerabilities. We are running the fixes through our Quality Assurance and Beta testing processes, and roll it out to your HomePass network. Since we remotely deliver firmware updates, you won’t have to do anything. We will update this post to let you know as soon as the update is available and pushed to your network.
CLIENT DEVICE VULNERABILITY
The more widespread and critical vulnerability, however, is to the many wireless client devices connecting to our home networks. Laptops, smartphones, smart TVs, internet-connected speakers, AI voice assistants, video game consoles, and so on, are almost all susceptible to KRACK. If an attacker successfully hijacks their connection to your network, it could attempt to decode plaintext transmissions.
Fixing this vulnerability requires updates from the device manufacturers. Apple must patch iOS. Microsoft must patch Windows. Google must patch Android (the patch may be delivered by your mobile carrier). So we recommend that you check into the available updates for all of your devices, and make a habit of updating your software regularly.
YOU CAN PROTECT YOURSELF
While this may sound like bad news, luckily, there’s another layer of security that is not affected: Applications that communicate with secure connections, HTTPS websites, messaging tools like iMessage and WhatsApp, mobile apps like Facebook or Dropbox, and many other applications should continue to operate normally and securely. Even if an attacker is snooping your traffic, the application traffic is independently encrypted.
While you can depend on most of your important smartphone apps to use secure connections, you should pay extra attention to websites to make sure they are using a secure connection. Each web browser indicates this differently, so we have linked to some relevant info on our KRACK FAQ.
Security is never “done,” and it’s never fool-proof. It requires constant vigilance and reassessment. As a cloud-managed network service, Plume will continue to monitor and can roll out software updates as may become necessary.
Irrespective of the new KRACK, we recommend that you use best practices when it comes to Internet security. Check manufacturer websites for firmware updates, and always try to keep your devices up to date.
If you have any questions, just let us know at [email protected].