There’s a serious security flaw in Wi-Fi and we’re all at risk

By

KRACK Wi-Fi attack
Beware the KRACK attack.
Photo: Mathy Vanhoef

A major security flaw has been discovered in Wi-Fi and we’re all at risk.

Researchers discovered the weakness in WPA2, the protocol that secures all modern Wi-Fi networks. Any modern device with a wireless connection could be open to a KRACK attack that would expose information like credit card numbers, passwords, messages and more.

WPA2, or Wi-Fi Protected Access II, was developed by the Wi-Fi Alliance to secure Wi-Fi networks. Launched in 2014, it encrypts the information sent between your router and your wireless devices, preventing anyone from intercepting your data.

But it turns out that WPA2 has a serious weakness. Security researcher Mathy Vanhoef warns that it can be abused to steal sensitive information, and all modern Wi-Fi networks are vulnerable. “If your device supports Wi-Fi, it is most likely affected.”

We’re all at risk of a KRACK attack

The attack is being dubbed KRACK, or “key reinstallation attack.”

Android and Linux devices are most vulnerable, but those from Apple and Microsoft are also at risk. (Update: Apple reportedly fixed the vulnerability in beta versions of iOS, tvOS, watchOS and macOS.

Early research has found that OpenBSD, MediaTek, Linksys, and other devices are also affected by “some variant” of the attack.

How it works

A KRACK attack allows a hacker to intercept and decrypt the data transferred over a Wi-Fi network.

It does this by interfering with the “four-way handshake” every Wi-Fi network uses to distribute a fresh encryption key when a device is connected. More specifically, it replays one of the messages — the one that includes the new key — leaving the encryption protocol open to attack.

Once it is open, data packets can be replayed, decrypted and forged.

Device manufacturers are aware

Wi-Fi device vendors are already aware of KRACK; Vanhoef informed them of the issue back in July. This gave them time to prepare patches before the problem was publicized. However, that doesn’t mean that our devices are now protected. There’s a good chance many are yet to be updated.

It’s not known if attackers have used this flaw in the real world yet. However, Vanhoef warns that now it has been made public, the chances of that have increased.

It can be stopped

The good news is that KRACK can be stopped with patches. We don’t need a new security protocol or new hardware. We don’t even need to change our Wi-Fi passwords.

“Instead, you should make sure all your devices are updated, and you should also update the firmware of your router,” Vanhoef writes. “After updating your router, you can optionally change the Wi-Fi password as an extra precaution.”

The bad news is that Vanhoef suspects other vulnerabilities just like this one lie in WPA2.

“We need more rigorous inspections of protocol implementations,” he explains. “This requires help and additional research from the academic community.”

You aren’t completely exposed

There are some important caveats here that you should take in before you panic.

Firstly, for a KRACK attack to be carried out, a hacker must be connected to your Wi-Fi network. That means they need the password for your router. There are ways to get around that, of course, but it’s important to remember that you have some protection.

Secondly, there are other security measures in place to protect your data. For instance, websites that use their own encryption — like your bank — are also keeping your sensitive data under wraps. This would prevent an attacker from obtaining it even if a KRACK attack was successful.

  • CoyoteDen

    * macOS and iOS have been patched for a while now. If you are up to date, you’re not vulnerable.

    * You SHOULD be using HTTPS/TLS/SSL anyway, and just about everything does.

    WPA2 was never meant to provide any more security than wired Ethernet.