A devastating flaw in Wi-Fi’s WPA security protocol makes it possible for attackers to eavesdrop(illegally listen traffic ) on your data when you connect to Wi-Fi. Dubbed KRACK, the issue affects the Wi-Fi protocol itself—not specific products or implementations—and “works against all modern protected Wi-Fi networks,” according to Mathy Vanhoef, the researcher that discovered it. That means that if your device uses Wi-Fi, KRACK likely impacts it. Fortunately, major tech companies are moving quickly to patch the issue.
KRACK (short for, uh, Key Reinstallation AttaCK) targets the third step in a four-way authentication “handshake” performed when your Wi-Fi client device attempts to connect to a protected Wi-Fi network. The encryption key can be resent multiple times during step three, and if attackers collect and replay those retransmissions in particular ways, Wi-Fi security encryption can be broken.
What devices are affected by KRACK?
If your device uses Wi-Fi, it’s likely vulnerable to the KRACK Wi-Fi security flaw to some degree, though some get it worse than others. “The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others.” HTTP content injection means the attacker could sneak code into the websites you’re looking at to infect your PC with ransomware or malware. An attacker needs to be in range of your Wi-Fi network to carry out any nefarious plans with KRACK. “You’re not suddenly vulnerable to everyone on the internet”.
“We are not in a position to determine if this vulnerability has been (or is being) actively exploited in the wild,” Vanhoef says. US-CERT’s advisory didn’t include any information about whether KRACK is being exploited in the wild, either.
How to protect yourself from KRACK’s Wi-Fi flaw
Keep your devices up to date! Vanhoef says “implementations can be patched in a backwards-compatible manner.” That means that your device can download an update that protects against KRACK and still communicate with unpatched hardware while being protected from the security flaw. Given the potential reach of KRACK, patches are coming quickly from many major hardware and operating system vendors. Up-to-date Windows PCs, for example, are already protected.
Until those updates appear for other devices, consumers can still take steps to safeguard against KRACK. The easiest thing would be to simply use a wired ethernet connection, or stick to your cellular connection on a phone. That’s not always possible though.
If you need to use a public Wi-Fi hotspot—even one that’s password protected—stick to websites that use HTTPS encryption. Secure websites are still secure even with Wi-Fi security broken. The URLs of encrypted websites will start with “HTTPS,” while unsecured websites are prefaced by “HTTP.” The Electronic Frontier Foundation’s superb HTTPS Everywhere browser plug-in can force all sites that offer HTTPS encryption to use that protection.
Alternatively, you can hop on a virtual private network (VPN) to hide all of your network traffic. Don’t trust random free VPNs, though—they could be after your data as well. PCWorld’s guide to the best VPN services can help you pick out a trustworthy provider. And again, keep your antivirus software up to date to protect against potential code injected malware.
Going forward, the Wi-Fi Alliance will require testing for the KRACK WPA2 vulnerability in its global certification lab network, so new devices will be protected out of the box.