Security notification: KRACK
Posted on October 17, 2017
3 min read
At Telstra we take protecting the privacy and security of our customers and network seriously which is why we’re letting our customers know about a new security vulnerability that we have been made aware of, that could compromise users of modern protected WiFi networks.
The vulnerability, uncovered by university researchers, is named KRACK and it reduces the level of security encryption on a WiFi network. It has the potential to impact enterprise products and consumer devices which connect to WiFi such as mobile phones.
KRACK could be used by someone with ill intent to monitor WiFi surfing sessions and steal a user’s sensitive information or direct the user to phishing and malware pages.
While KRACK is notable, the WiFi Alliance has indicated that there is no evidence that the vulnerability has been exploited maliciously. Furthermore, many security experts agree that there is a reduced likelihood that criminals will exploit it as KRACK requires attackers to be physically located in the same spot as the WiFi network they wish to target. Moreover, many criminals would likely opt for traditional simple attacks like phishing which are effective, scalable, and allow targeting of victims from across the world. This has not been tested by Telstra.
Whilst this may be the case, we still recommend you take steps to protect yourself and your devices.
Help protect yourself now
To help protect yourself against KRACK, we recommend all customers exercise good WiFi security practices. While there is currently no guaranteed defence against KRACK, these measures will reduce your exposure and should be used when connected to any public WiFi.
1. Avoid conducting sensitive transactions like internet banking on public WiFi. Use your mobile data instead.
2. When using WiFi networks check that the sites you visit use HTTPS. Depending on your web browser, you can tell HTTPS is in use by looking to the left of the website address bar for the prefix HTTPS (as opposed to HTTP), a closed lock, or the words ‘Secure’.
3. Avoid open, password-free public WiFi networks such as those at airports. We recommend using the Telstra Air app when connecting to Telstra Air as the app helps protect you from accidentally connecting to a hotspot that is pretending to be part of the Telstra Air Network to unlawfully access your information.
WiFi users should be mindful of web browser warnings such as “your connection is not private” in Google Chrome, “this site is not secure” in Internet Explorer, and “your connection is not secure” in Mozilla Firefox. These warnings may indicate an attacker is attempting an attack which could send users to phishing or malware pages.
Patching: proper protection long-term
Proper protection against KRACK requires technology companies to issue patches in order to safeguard users of their products from this attack.
Microsoft has already issued patches for Windows 8 and Windows 10, and if you use this operating system you should apply the latest updates. Google is creating a patch for its Android operating system. Apple has already developed a patch that it says will be deployed to supported devices soon.
What we’re doing
Telstra is working rapidly with our modem suppliers to determine if any devices are vulnerable. If we determine there is an issue with a specific modem or Wi-Fi device then this can be resolved through software updates; Telstra will first determine which devices could be affected and then where possible update the device remotely to fix the security vulnerability.