KRACK vulnerabilities explained and how Xiaomi patched it before Google

KRACK or Key Reinstallation Attack is the recently discovered security flaw in WPA protocol, the encryption used by Wi-Fi routers. This vulnerability allows hackers to break the encryption between router and the connected device, accessing all the data being transferred from your device to the router, i.e. the internet.

Now before getting to the fix provided by Xiaomi and other OEMS, let’s see how KRACK works. When a user connects to the Wi-Fi, the router uses PA2-PSK encrypted connection to provide an IP to tje desired device. Now that did sound little tricy. Making it simple, the router checks the password entered by the user and if it’s correct, provides a connection to the device. That’s why it is called PSK, or Pre-Shared Key. The connection is encrypted meaning no one can access the data being shared between your router and device.

When the device connects to a Wi-Fi source, the establishment of connection is a 4 way process, like checking the password entered by user, providing an encrypted connection between the router and device. Now KRACK interferes with the initial stage that actually is not encrypted since router has not provided an encrypted connection yet. This allows to the hacker to decrypt all the data being shared between the router and your device without even being actually on the network! Now that is quite scary!

Once this issue arose and got some serious attentions, Big Players like Microsoft immediately released patches for this. But, what if your OEM does NOT provide you a patch? A simple way is by using a VPN or a Virtual Private Network.

Now note that if you are a normal user living in apartment or colony who uses basic internet like social media, Google, etc. You actually should not be worrying because no one is standing near your house waiting to collect your data. But still if you think that there is someone, you can use a VPN that encrypts the entire connection virtually so that the hacker can not exploit and breach the data between your router and device. But wait! There’s another catch. Since you are using a VPN, you won’t be able to use IOT devices like Chromecast, smart locks, smart lights etc that are controlled by your device, connected to the same Wi-Fi network. Damn, this thing is complicated!

• Now about the fixes!

OwenWilliams has listed the manufactures who have pushed patches for the same.

Google said that they will be fixing this issue with a patch in the November Security Update, now that’s too late! Also considering that it will take ages for this security patch to reach smaller OEMS of the Android market who never give security patch updates.

In the Android department, Lineage OS and Omni ROM, two big players from the Custom ROM Android segment are one of the first ROMS on Android to patch this issue. But, not everyone is using Lineage and Omni.

In the OEM segment, Xiaomi has fixed the patch for a whole bunch of devices, some of them which are actually 3-4 years old.
These devices include the

The Redmi Note 4 MTK, Redmi Note 4 Qualcomm/Redmi Note 4X, Mi 6, Mi Note, Mi Note 2, Mi 5, Mi 5s, Mi 5s Plus, Mi Max, Mi Max Prime, Mi Max 2, Mi 2/2S, Mi 3, Mi 4, Mi 4i, Redmi 2, Redmi 2 Prime, Redmi 3, Redmi 3S, Redmi Note 4G, Redmi Note Prime, Redmi Note 3 Qualcomm, Redmi Note 3 Special Edition, Redmi Note 2 and Redmi 4 / 4X 

Now that is really a big list considering how quickly Xiaomi fixed the issue. All the above mentioned devices got the patch on the Developer ROM and should be out for stable as well. There are some devices which are 4 years old and kudos to Xiaomi for releasing the patches. This makes us believe Xiaomi as a brand who supports their devices for a long period.

In the iOS segment, patches have been released in the latest Beta iOS and should be out for stable as well.

What if your manufacturer is dead or denies you a patch? Well, there’s actually nothing you can do from your side. Either use a VPN if you are very sensitive about your data, compromising on IOT devices or remain with the exploit on your device.

In the end, Good Work Xiaomi!

Leave a Reply

Your email address will not be published. Required fields are marked *