If you thought your protected Wi-Fi was safe, think again. Nearly all devices are affected by the new KRACK exploit.
Solid advice for setting up a new wireless router or Wi-Fi network in your home is to password-protect it. Set a secure password using Wi-Fi Protected Access 2 (WPA2) and only share it with those you trust.
Since the WPA2 standard became available in 2004, this was the recommended setup for wireless area networks everywhere — and it was thought to be relatively secure. That said, like the deadbolt on your house, password protection is really only a strong deterrent. Like most things, as secure as WPA2 was believed to be, it was only ever as strong as your password or any vulnerabilities discovered in its security.
Over the weekend, a vulnerability was indeed discovered and turned the internet on its head.
A proof-of-concept exploit called KRACK (which stands for Key Reinstallation Attack) was unveiled. The ominously named crypto attack exploits a flaw in the four-way handshake process between a user’s device trying to connect and a Wi-Fi network. It allows an attacker unauthorized access to the network without the password, effectively opening up the possibility of exposing credit card information, personal passwords, messages, emails and practically any other data on your device.
The even more terrifying bit? Practically any implementation of a WPA2 network is affected by this vulnerability, and it’s not the access point that’s vulnerable. Instead, KRACK targets the devices you use to connect to the wireless network.
The website demonstrating the proof-of-concept states, “Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys and others are all affected by some variant of the attacks.” That said, most current versions of Windows and and iOS devices are not as susceptible to attacks, thanks to how Microsoft and Apple implemented the WPA2 standard. Linux and Android-based devices are more vulnerable to KRACK.
What you can do
So what can you do right now?
Keep using the WPA2 protocol for your networks. It still the most secure option available for most wireless networks.
Update all your devices and operating systems to the latest versions. The most effective thing you can do is check for updates for all of your electronics and make sure they stay updated. Users are at the mercy of manufacturers and their ability to update existing products. Microsoft, for example, has already released a security update to patch the vulnerability. Google said in a statement that it “will be patching any affected devices in the coming weeks.” Patches for Linux’s hostapd and WPA Supplicant are also available.
Changing your passwords won’t help. It never hurts to create more secure password, but this attack circumvents the password altogether, so it won’t help.
Know that a KRACK is mostly a local vulnerability — attackers need to be within range of a wireless network. That doesn’t mean your home network is totally impervious to an attack, but the odds of a widespread attack are low due to the way the attack works. You’re more likely to run into this attack on a public network.