Today, security researchers published a paper detailing a serious vulnerability in WPA2, the protocol that keeps most modern Wi-FI networks secure—including the one in your home. Here’s how to protect yourself from attackers.
KRACK is shorthand for key reinstallation attack. When you connect a new device to a Wi-Fi network, and type in the password, a 4-way handshake takes place that ensures the correct password is used. However, by manipulating part of this handshake, an attacker can see and decrypt much of what happens on a Wi-Fi network, even if its owner doesn’t know the password. (If you’re technically- and security-minded, you can read the full paper for more details.)
Once someone has access to your network in this way, they can see much of the data you transmit, or even inject their own data—like ransomware and other malware—into the websites you visit (at least the ones using HTTP—sites using HTTPS should be safer from injection).
At the time of this writing, almost all devices are vulnerable to KRACK, at least in some shape or form. Linux and Android devices are most vulnerable, due to the specific Wi-Fi client they use—it is trivial to see large amounts of data transmitted by these devices. Note that KRACK does not reveal your Wi-Fi password to the attacker, so changing it won’t protect you. However, WPA2 is not irreversibly broken—the problem can be fixed with software updates, which we’ll talk about in a moment.
Should you be worried? Yes, at least somewhat. If you’re in a single-family home, the chances of you being targeted are smaller than if you’re in a busy apartment building, for example, but as long as you are vulnerable, you should be vigilant. It’s probably a good idea to stop using public Wi-Fi, even password-protected ones, until patches are released.
Thankfully, there are a few things you can do to protect yourself.
This is a major security issue that will likely be prevalent for quite some time. However, here are the things you should do right now.
You know how your PC and phone are always nagging you about software updates, and you just click “Install Later”? Stop doing that! Seriously, those updates patch vulnerabilities like this, which protect you from all kinds of nasty stuff.
Thankfully, as long as one device in a pair is patched—either the router or the computer/phone/tablet connecting to it—the data being transmitted between them should be safe.
That means if you update your router firmware, your network should be protected. But you’ll still want to update your laptop, phone, tablet, and any other device you bring to other Wi-Fi networks, in case they are not patched. Thankfully, your computer, phone, and tablet will notify you of updates; here’s what we know is patched right now:
This is good to know, but you should also check your router manufacturer’s web site periodically for router firmware updates—if you have an older router, it may not get updated, but many newer ones hopefully should. (If yours does not get an update, it might be a good time to upgrade that router anyway—just make sure your new one is patched for KRACK before you buy.)
In the meantime, if your router is not patched, it’s extremely important that every device on your home network does. Unfortunately, some may never get them. Android devices, for example, don’t always get timely updates, and some may never receive one for KRACK. Smarthome devices can be problematic as well, since they can still get malware that makes them part of a botnet. Keep an eye out for firmware updates to any other Wi-Fi connected devices you use, and email the manufacturers of those devices to see if they have issued or are planning on issuing a patch. Hopefully, since this vulnerability is already making big waves, device manufacturers will actually be incentivized to release patches.
While you wait for your devices to receive patches, make sure you take care of your personal data. If you do anything sensitive over the internet—email, banking, any site that requires a password—make sure you do it over HTTPS. HTTPS isn’t perfect, and some sites haven’t implemented it properly (like Match.com, as shown by the researchers), but it should still protect you in many situations.
Thankfully, more and more sites are using HTTPS by default these days, so you shouldn’t have to do much—just make sure you see that little lock icon when you connect to any site that requires a password or credit card information. And make sure that lock icon stays there as you use the site, since an attacker could attempt to strip the HTTPS protection at any time.
Even if your router does get patched, that doesn’t mean it’s safe from other attacks. Someone could compromise one of your devices using a KRACK attack, then install malware that attacks your network in other ways—like logging into your router using the password it came with. Make sure you aren’t using the default password on any device in your home, make sure your router uses WPA2 with AES encryption, and disable insecure router features like WPS and UPnP. These are all basic things everyone should do, but now’s a good time to double check.
This should go without saying—because you should already be doing it—but make sure you have decent antivirus and anti-malware software running on your PC. KRACK attacks can be used to inject malware into the sites you visit, and “just using common sense” will not protect you. We recommend using Windows Defender, which comes built-in to Windows 8 and 10, for your antivirus, along with Malwarebytes Anti-Malware to protect yourself from browser exploits and other types of attacks. Even if all your devices are fully patched against KRACK, you should be using these programs.
Here’s a demonstration of how KRACK works:
In short, this vulnerability is a big one, and the only way to truly protect yourself is to make sure your router and all your Wi-Fi connected devices are up to date. But while we wait for those updates, basic computer security can go a long way: use HTTPS wherever you can, don’t use the default passwords on your devices, run antivirus and anti-malware, and update your software as soon as you get that notification. You don’t want to get attacked only to realize five minutes of updates could have kept your data safe.