As you may know, public Wi-Fi networks like those found in coffee shops are vulnerable to attack due to their open nature. But while staying off these networks has kept you safe in the past, a security expert has discovered that virtually every Wi-Fi network in the world has been compromised by a new flaw.
How did this happen? What does it mean for the average user? And how can you stay protected? Read on to find out.
A Note on Wi-Fi Security
Belgian security researcher Mathy Vanhoef found an exploit that allows attackers to break the most common form of encryption protection used in Wi-Fi networks around the world. It's called WPA2, which stands for Wi-Fi Protected Access II. As other encryption methods (such as WEP, Wired Equivalent Privacy) are no longer considered secure, virtually all modern Wi-Fi networks are secured with WPA2.
Encryption keeps your browsing information safe when you're connected to a Wi-Fi network. When properly encrypted, only your device and the website you're using can exchange information. A third party would have no way to break in and spy on what you're doing.
That's why this new vulnerability is a big problem.
What's the Vulnerability?
Vanhoef has nicknamed this exploit KRACK, which stands for Key Reinstallation Attack. The details are a bit complicated to discuss in this article, but the basics aren't hard to understand.
Whenever a device (like your laptop or smartphone) connects to a Wi-Fi network protected with WPA2, it engages in a "four-way handshake" to confirm that the connection is secure. The first two parts ensure that your device has the correct Wi-Fi password and is allowed to connect. If this passes, they continue to the third part of the handshake.
At this point, a new encryption key protects your session by encrypting the information that your device exchanges with the Wi-Fi network. But the KRACK can intercept this key and use it against you. If a Wi-Fi network doesn't receive a response from your device, it will try to send out the key several times again. An attacker can collect these re-sent messages and use them to decrypt information or spoof their own information.
It's a little technical, but the below video illustrates a KRACK attack:
In short: KRACK allows attackers to steal part of the encryption information that keeps your connection to Wi-Fi networks safe and read your private info or spoof their own.
The Danger of KRACK
What can a hacker do with this new vulnerability?
Thankfully, it's not all bad news, as someone must be physically near a Wi-Fi network to take advantage of this. Thus your network isn't at risk from a hacker halfway around the world. Another small blessing is that attackers can only hit one network at a time with this. Even with several networks in range, they'd have to attack them one by one unless they had a lot of equipment on hand.
But these minor pluses don't detract from the reality that this vulnerability is bad news. If you're on a network that someone hits with a KRACK, they could steal your passwords, credit card numbers, emails, and anything else you send over the network. Additionally, this exploit lets hackers inject malware and other forms of infection into the websites you're visiting, making them dangerous to your PC.
The worst part of this is that the flaw exists in the Wi-Fi standard, not any particular device. So even if your iPhone receives an update to remedy this problem, other devices on your network are still vulnerable. This is why virtually every Wi-Fi network in the world is now a potential victim for attack.
Affected Devices and Updates
Thankfully, developers are acting quickly to patch this vulnerability as best they can. Microsoft says it has already published an update for Windows to resolve the problem. Apple has published a fix in the beta versions of iOS and macOS, which should go live to the public in a few weeks.
So Microsoft stealth released a patch for KRACK a week ago on Windows 10. Good thing nobody ever complains about Windows updates...
— Severed Handrew (@andrewcarvalho) October 17, 2017
Unfortunately, the most susceptible devices are those running Android and Linux. The particular way that Android 6.0 Marshmallow and newer implement Wi-Fi encryption is easy to break with this exploit. Unfortunately, Android's fragmentation means that even when Google publishes an update to fix it (planned on November 6), many devices won't receive it for months.
How to Stay Safe
The most important aspect of this attack to remember is that it only affects Wi-Fi. Devices using a wired Ethernet connection aren't vulnerable. If you can connect your laptop to a wired network instead of a wireless one, certainly do that.
Second, avoid connecting to public Wi-Fi networks at all costs. Your home network is likely safe unless you life in a crowded area where someone in close proximity could launch an attack. But you never know who could be watching a public network. Use your phone's mobile data instead.
KRACK is only applicable in WiFi-range. If a shady hoodie is outside your house tapping on keyboard, encryption isn’t your top problem.
— Tarah M. Wheeler (@tarah) October 16, 2017
Third, it's vital to update all your devices as soon as you can. If you see a prompt to install an update, make sure you do so. The latest patches will help keep your devices protected.
Fourth, if you have a VPN for work or personally, use it. This will protect your browsing traffic and provide another layer of security.
In the end, you shouldn't panic. This vulnerability is a big deal, but modern wifi equipment will be patched. We are addressing this for all our Managed Services clients, if you are interested in talking more about this, please feel free to contact us.