Internet surfing on mobile devices has seemed relatively safe since the 2001 Wi-Fi security protocol update and the advent of wireless data encryption. The WPA2 encryption standard mostly shielded us from being hacked on our private networks. However, new research from Belgian cyber security expert Mathy Vanhoef exposes a threat that proves our false sense of security is coming to an end thanks to the Key Reinstallation Attack (KRACK) vulnerability.
What Is the KRACK WPA2 Hack and How Does It Work?
WPA2 (or Wi-Fi Protected Access 2) is one of the current wireless security standards. Unlike its predecessors, it securely encrypts web traffic by way of a “four-way handshake” process that randomly generates an encryption key every time a device with matching credentials accesses a wireless network. This handshake protects your private home and business networks different with four authentication exchanges, ensuring information you send back and forth over the network is safely encrypted.
The KRACK vulnerability interferes with the four-way handshake by way of the encryption key; KRACK records the key and reinstalls it to be used multiple times. This allows the attacker access to communications between your device and wireless access point, as well as any information that isn’t otherwise encrypted. Hackers could potentially view and steal your credit card information, passwords, shared files, and any other private information sent across the web.
One caveat of the KRACK vulnerability is that hackers need to be within the range of your Wi-Fi network. This means that your personal information is safe from hackers on the other side of the world, but anyone in close proximity could gain access to your network traffic if they have technical skills. And even though a hacker must be in range to exploit this vulnerability, it’s possible KRACK could be used for packet injection (explained here) or inserting malware or ransomware into websites.
How Can I Protect My Network Privacy?
Though KRACK is disrupting our WPA2 sanctuary, there are many ways to ensure you’re safe—or as safe as you can be—until the WPA2 protocol is updated to prevent these attacks.
- Update Your Router
Most people don’t think about updating their router in the same way you update your phone or laptop software, but this is a vital step to protecting your wireless network from KRACK. You can find instructions to update some of the more common manufacturers’ router firmware here. If your router doesn’t belong to one of the companies that has released a firmware patch, you should contact your internet service provider.
- Update All Devices with Wi-Fi Connectivity
Thanks to Apple and Microsoft’s specific implementation of WPA2, they aren’t as vulnerable as other devices. However, that doesn’t mean your iPhone is safe. Mathy Vanhoef’s blog publicizing the vulnerability includes a demonstration of an attack on an Android device and links to examples of bypassing encryption in Apple operating systems, as well as other common encrypted applications. Any device with Wi-Fi capabilities needs to be updated as soon as patches are released. In the meantime, use Ethernet or cellular data on your mobile device if possible.
- Utilize Other Methods of Encryption
Even when this WPA2 vulnerability no longer exists, you should make sure you’re communicating with websites securely. Many websites use HTTPS, which you may have noticed during browsing sessions. Thankfully, most websites that handle sensitive personal information (banking and financial sites, etc.) already default to secure browsing, which encrypts private data. Browser extensions like HTTPS Everywhere will force sites to browse securely when the option is available. Communicating over a virtual private network (VPN) also encrypts all traffic, rendering it safe from KRACK. However, be aware that VPN providers may store your data in other ways, so make sure to research and select a trusted company.
- Take Stock of Your IoT Devices
The Internet of Things, while still new technology, is notorious for its inherent security weaknesses. Any IoT devices you have connected to your wireless network may need to be disconnected until patches are available. Information from most IoT devices is probably harmless even if hackers were able to gain access to it, but unless each device encrypts traffic, your privacy could still be compromised.
Thankfully, this vulnerability is getting much publicity. The US Computer Emergency Readiness Team continues to update its list of over 100 vendors and their software updates, and none of the indexed vulnerabilities are yet known to be used outside of research. It’s unlikely that an everyday WPA2 user has been affected by this breaking vulnerability, but it would be wise to exercise caution until more information and software updates are released. Be wary of any unfamiliar wireless networks, and keep an eye out for any notices from your hardware and internet service providers.