If you are one of the billions of people that use Wi-Fi on a regular basis – and if you’re reading this online, chances are you’re using it right now – you’ll want to learn about a security exploit called KRACK.
KRACK, or Key Reinstallation Attacks, is the first vulnerability found in modern Wi-Fi security, called WPA2, that doesn’t rely on password guessing. Put simply, the exploit means that if you’re using a modern Wi-Fi system -- public or private -- then it doesn’t matter how complicated your password is, you may be vulnerable.
Cybersecurity circles were on edge late Sunday, following this recent advisory from the United States Computer Emergency Readiness Team:
“US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol. The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others,” the statement reads. “Note that as protocol-level issues, most or all correct implementations of the standard will be affected. The CERT/CC and the reporting researcher KU Leuven, will be publicly disclosing these vulnerabilities on 16 October 2017.”
The “4-way handshake” is how WPA2 confirms, using your network password, that you have proper access to a certain Wi-Fi network. As it verifies your password, WPA2 also negotiates a fresh encryption key that keeps subsequent traffic private. The KRACK exploit involves attacking the encryption process, which “can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on,” according to the KRACK website.
“In general, any data or information that the victim transmits can be decrypted,” the KRACK website states. “Additionally, depending on the device being used and the network setup, it is also possible to decrypt data sent towards the victim (e.g. the content of a website).”
So what can you do to prevent this type of hacking? Ars Technica advises “people should avoid using Wi-Fi whenever possible until a patch or mitigation is in place. When Wi-Fi is the only connection option, people should use HTTPS, STARTTLS, Secure Shell, and other reliable protocols to encrypt Web and e-mail traffic as it passes between computers and access points. As a fall-back users should consider using a virtual private network as an added safety measure, but users are reminded to choose their VPN providers carefully, since many services can't be trusted to make users more secure.”
The Wi-Fi Alliance says providers have started deploying security patches. Once updates are available to you, install them on all affected devices – such as smart phones and laptops. If you are using an operating system under Linux or Andriod 6.0 or higher, you are especially vulnerable to this attack.