Solid advice for setting up a new wireless router or Wi-Fi network in your home is to password-protect it. Set a secure password using Wi-Fi Protected Access 2 (WPA2) and only share it with those you trust.
Since the WPA2 standard became available in 2004, this was the recommended setup for wireless area networks everywhere — and it was thought to be relatively secure. That said, like the deadbolt on your house, password protection is really only a strong deterrent. Like most things, as secure as WPA2 was believed to be, it was only ever as strong as your password or any vulnerabilities discovered in its security.
Over the weekend, a vulnerability was indeed discovered and turned the internet on its head.
A(which stands for Key Reinstallation Attack) was unveiled. The ominously named crypto attack exploits a flaw in the four-way handshake process between a user’s device trying to connect and a Wi-Fi network. It allows an attacker unauthorized access to the network without the password, effectively opening up the possibility of exposing credit card information, personal passwords, messages, emails and practically any other data on your device.
The even more terrifying bit? Practically any implementation of a WPA2 network is affected by this vulnerability, and it’s not the access point that’s vulnerable. Instead, KRACK targets the devices you use to connect to the wireless network.
The website demonstrating the proof-of-concept states, “Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys and others are all affected by some variant of the attacks.” That said, most current versions of Windows and and iOS devices are not as susceptible to attacks, thanks to how Microsoft and Apple implemented the WPA2 standard. Linux and Android-based devices are more vulnerable to KRACK.
What you can do
So what can you do right now?
Keep using the WPA2 protocol for your networks. It still the most secure option available for most wireless networks.
Update all your devices and operating systems to the latest versions. The most effective thing you can do is check for updates for all of your electronics and make sure they stay updated. Users are at the mercy of manufacturers and their ability to update existing products. Microsoft, for example, has already released a security update to patch the vulnerability. that it “will be patching any affected devices in the coming weeks.” Patches for Linux’s hostapd and WPA Supplicant are also available.
Don’t change your passwords. It won’t help, as this attack circumvents the password altogether.
Know that a KRACK is mostly a local vulnerability — attackers need to be within range of a wireless network. That doesn’t mean your home network is totally impervious to an attack, but the odds of a widespread attack are low due to the way the attack works. You’re more likely to run into this attack on a public network.
A list of vendors that have patched the vulnerability can be found on the CERT website, though the site appears to be under heavy traffic. See also ZDNet’s list of every patch for KRACK Wi-Fi attack available right now, and our .
More important KRACK facts
Fortunately, there are a few comforting thoughts:
- The Wi-Fi Alliance stated it now “requires testing for this vulnerability within our global certification lab network,” which is promising for for any new devices headed to shelves. It’s also providing a vulnerability detection tool for Wi-Fi Alliance members to test their products with.
- Using a virtual private network (VPN) will encrypt all your internet traffic and could protect you from such an attack. Not to mention, if you care about your online privacy or security anyway.
- Strictly using sites that use HTTPS can help protect you against KRACK, but HTTPS isn’t totally impervious either.
This is a developing story. Check back for additional tips as we have them.
WPA2 security flaw puts almost every Wi-Fi device at risk of hijack, eavesdropping (ZDNet): KRACK is a total breakdown of the WPA2 security protocol.
Here is every patch for KRACK Wi-Fi attack available right now (ZDNet): Vendors are reacting swiftly to an exploit that lets attackers eavesdrop on your network traffic.