Sunday, March 15, 2020

Kr00k

Every now and then my propeller beanie comes out.


Here I go again.

Recently ESET was researching KRACK (archive.is) vulnerabilities in Amazon's Echo. This has been fixed by Amazon (archive.is).

But ESET's research turned up another broader vulnerability they call Kr00k.

The deep dive presentation by ESET is on YouTube. Watch it when you're not sleepy.

An explanation for mere mortals is here (archive.is). Steve Gibson covers it here. Some of the coverage has lists of vulnerable devices. Your Wi-Fi device not being on this list does NOT mean you're safe. It just means that they didn't test your device.

The short explanation is to update your devices if/when you can. Phones and tablets that are being updated will probably be updated automatically. The device you need to look into is your home router.

Login into the administrator page and see if it offers you a firmware update. If not, go to the manufacturer's support page and look for firmware updates.

This isn't a "The sky is falling" problem as the hacker has to be within Wi-Fi range of your router. And using https defeats the exploit. But updating your firmware is always a good idea.

The Wired article concludes with:
Despite the limited threat posed, readers should ensure their devices have received updates issued by the manufacturers. This advice is most important for users of vulnerable Wi-Fi routers, since routers are often hard to patch and because vulnerable routers leave communications open to interception even when client devices are unaffected or are already patched.

No comments: