Just a couple of weeks ago, a major security threat was uncovered which virtually obstructed every Android device and other electronic device with a Wi-Fi adapter. The bug which was dubbed “KRACK”, had the potential to allow hackers to intercept and decrypt communications from phones, tablets and other connected gadgets. What made KRACK threatening is that the security flaw was a part of the WPA2 network security standard’s design and because it was in the standard, any piece of device that supports WPA2 is at risk – it wasn’t limited only to hardware or software developed by some manufacturers.
The security flaw was discovered by a researcher from the University of Leuven (KU Leuven) named Mathy Vanhoef. The KRACK vulnerability affects the WPA2 Wi-Fi protocol which allows hackers to forcibly reinstall connection keys and intercept the device’s WPA2-protected Wi-Fi traffic. A lot of vendors were notified of the vulnerability in advance – Google included, and most have already provided fixes and workarounds when Vanhoef published his research. One of the vendors that are quick to act is Microsoft. The company has silently deployed KRACK fixes to its Windows users without really telling anyone which was done a month before the KRACK vulnerability went public. This was followed by Apple, releasing KRACK patches by the end of October as part of the new iOS 11.1 and the macOS High Sierra 10.13.1. Users can also identify which devices are vulnerable to the KRACK vulnerability using the tools and proof of concept the Vanhoef has released on his GitHub account or through a toolkit named KRACK Detector which was developed by a third party.
According to researchers, 40% of all devices running Android OS were most at risk and vulnerable to attacks brought by the flaw. So if you go by Google’s figure of 2 billion Android devices that are active on a day to day basis in May this year, then it’s around 800 million Android devices that are at risk of getting attacked. This KRACK vulnerability was revealed in mid-October where some device manufacturers were notified ahead of time but once the word got around, other manufacturers are quick to come up with patches to remedy the security flaw. And now, Google has released its very own patches which was published with this month’s Android Security bulletin – with this, the company provided a fix for the KRACK vulnerability.
The Android Security Bulletin for November 2017 is split into three separate packages namely, 2017-11-01, 2017-11-05 and 2017-11-06 where the KRACK fixes are included in the 2017-11-06 package. So if your device received the update and security patch which level is 2017-11-06, then rest assured that the KRACK fixes are part of it. Aside from the security flaw, the patches in the Android Security Bulletin also fixed other security bugs in the Android OS. These bugs include five remove code execution bugs in the Media framework which allows hackers to take over Android devices through the malformed multimedia files such as CVE-2017-0832, CVE-2017-0833, CVE-2017-0834, CVE-2017-0835, and CVE-2017-0836. On top of that, the Android Security Bulletin for November also includes fixes for six other bugs reported by a security researcher named Scotty Bauer. The bugs, which are also remote code execution flaws, affect the Qualcomm WLAN component and are explained in more depth in a website that Bauer has made up just for this purpose.
For users who haven’t receive the over the air updates from their mobile provider or phone vendor yet, you can download the updates OS images from the Android project’s home page. Be mindful as flashing the device and installing the updated version of the Android OS can be a very complicated task.