Consumer Reports has no financial relationship with advertisers on this site.
The revelation this week that a serious security flaw could affect WiFi networks in homes and businesses highlights how tough it can be for consumers to keep vital technology updated with secure software.
Millions of households rely on wireless routers, laptops, and smartphones for their day-to-day lives. It's relatively routine to update a laptop—many devices are updated automatically. But other devices go years without getting updated by their owners, slowly gathering dust while missing advances in security.
The new WiFi vulnerability was dubbed KRACK (for Key Reinstallation Attack) by its discoverers, a pair of researchers at a Belgian university. It could allow attackers to access private data flowing through an encrypted WiFi network. The data could include usernames, passwords, credit card details, emails, and more.
“There’s a vulnerability in all current implementations of WiFi—the way WiFi works between devices and wireless access points,” says Bob Rudis, chief data scientist at Rapid7, a cybersecurity firm that has already written extensively about KRACK.
To be clear, these are researchers, not criminals, and there's no evidence that anyone's WiFi network was actually infiltrated. But the list of affected products could be a long one: The flaw affects a WiFi encryption protocol known as WPA2 that has been standard since the mid-2000s, leaving consumers on the hook to seek out and install software updates.
“My advice to home users and small business owners would be not to panic too much for now,” says Graham Sutherland, an independent security researcher. “The KRACK paper has only been out for a couple of days and [since researchers quietly informed tech companies about the problem ahead of time] companies with affected devices have had a while to start working on fixes.”
But that doesn't mean all of those updates will get to consumers. When it comes to routers, in particular, many people may need to delve into unfamiliar settings panels searching for an elusive “update” button.
PCs and Laptops
Both Apple and Microsoft say they have developed patches that fix the vulnerability in macOS and Windows 10.
Microsoft says it rolled out the patch earlier in October, but didn't announce the fix until the Belgian researchers were ready to go public.
Apple confirmed to Consumer Reports that the patch will be widely released within the next few weeks. A currently available beta version of macOS already contains the patch but is only intended for advanced users who are comfortable using pre-release software.
Security experts say that consumers shouldn't worry about waiting for the official macOS release. Any would-be attacker needs to be within range of their victim’s wireless router—KRACK cannot be initiated over the internet. Unless a sophisticated hacker has a motivation to specifically target your home or business, you're probably not in immediate danger of having your data stolen.
Wireless routers are vulnerable to KRACK—that's not surprising since they create your WiFi network. How you update your router software to fix the problem depends on how and when you obtained the device.
Many consumers rent a router from their broadband provider. Consumer Reports has pointed out the advantages in buying your own router—but this is one case where using the company's router makes things easy. Internet service providers tend to automatically update network equipment, including wireless routers. Comcast, Verizon, Charter, and AT&T did not respond to Consumer Reports’s request for a comment on KRACK, but they maintain online help pages that detail how frequently they update the routers in people's homes.
It’s a slightly different story when consumers have bought their own wireless routers.
The Wi-Fi Alliance, the industry consortium that sets and maintains the technical standards of WiFi, tells Consumer Reports that consumers should manually check to ensure that their routers are fully updated, which can typically be viewed on the router’s settings panel. Here are links to detailed instructions on how to initiate a manual update for routers made by Asus, D-Link, Linksys, and Netgear.
Certain newer routers, including several made by Belkin as well as the startup Eero, automatically push updates without requiring the user to do anything.
“If you know for a fact that you have a newer router that updates automatically then great, that's good,” says Richard Fisco, who heads up router testing at Consumer Reports. “But if you have a router that’s older than two years old, you probably should check it and see if there’s a way to manually update it.”
Smartphones are as vulnerable to the KRACK flaw as routers or laptops.
Both Apple and Google have developed patches that fix the vulnerability in iOS and Android. An update for iOS that’s due for wide release within the next few weeks will have the patch, Apple confirmed. There's a beta version of iOS with the patch, aimed at advanced users willing to use pre-release software. However, other users probably can wait without incurring much risk.
The situation with Android is slightly more complicated.
Google says its next Android monthly security update, due on Nov. 6, will contain a patch for the vulnerability.
But exactly when this security update reaches the average Android smartphone is another matter entirely: If you own one of Google’s own smartphones, including the Pixel and most recent Nexus models, you'll get the update right away.
But smartphones made by other manufacturers don’t typically receive security updates as soon as they’re released. Major Android smartphone makers including Samsung, LG, and HTC did not respond to Consumer Reports’ request for comment on when their customers can expect to see this security update.
Consumer Reports is an independent, nonprofit organization that works side by side with consumers to create a fairer, safer, and healthier world. CR does not endorse products or services, and does not accept advertising. Copyright © 2017, Consumer Reports, Inc.