You might’ve heard word going around that WPA2, the encryption method used to secure just about every wireless network around the world, has been hacked. And indeed, Belgian security researchers have discovered a vulnerability in the WPA2 protocol that theoretically puts just about every wireless router out there at risk. So, is this the next big hack? Do you need to worry about it?
What exactly happened?
The KRACK security exploit was uncovered by security researcher Mathy Vanhoef at Belgian university KU Leuven, and stands for Key Reinstallation Attack. In short, it basically uses the handshake process that occurs when a device tries to join a protected network as the way in. After your device and the network make the handshake and verify the password, the encryption key for your connection is negotiated by the devices. This back-and-forth can be captured and used by an attacker. They should be single-use communications, but wireless connections necessarily have to allow for packet drops, so the devices have to allow those strings to be re-sent, and that’s where the strings can be reused by the attacker to listen in on connections or inject malware.
The hack, Vanhoef says, could “be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. The attack works against all modern protected Wi-Fi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites.”
Who is vulnerable and how dangerous is it?
At the moment, pretty much everyone. The vulnerability is in the core of the WPA protocol, so any device with WPA-compliant software, which includes just about any router, computer, or smartphone, is potentially vulnerable. This is different from something like a database breach at, for example, a credit reporting company, though, so don’t go unplug your home from the grid just yet. Where that situation is akin to someone robbing a bank or something like that, this is more like someone breaking into your house. A bump key might theoretically be able to open any standard tumbler lock it fits into, but someone actually has to come to your house and use it for it to work. Similarly, the KRACK isn’t something someone is going to just unleash on the world and suddenly all our browser windows will be replaced with ASCII skulls.
But because this can affect any WPA-encrypted network, it’s good to be wary for a while when connecting to public networks. Your home network could theoretically be compromised, but that’s going to be a much less interesting target for an attacker than a coffee shop or McDonald’s or something like that.
How can we protect ourselves?
There are two ends to any connection in this case: the network, and the user device. Newer routers can be, and likely will be, patched. You can check with your router’s vendor for that, when it comes to your home network. Public networks are a tougher question, because that requires the owners of those networks to actually update them, and that’s not always high on the priority list for Ron’s Coffee Shop.
The bright side to this is that it can be entirely mitigated on the client side of things. Even on routers that haven’t been patched, an updated OS will do the job, and that will likely be taken care of before very long. Microsoft, for example, has already issued a security update for the hack, and Linux patches are already rolling out. If you don’t have automatic updates enabled, a quick Windows Update should clear up the issue. It’s likely that Apple and Google are already working on the issue as well. The toughest part of this will be patching the many various versions of Android out there across different manufacturers and carriers.
In the meantime, protecting yourself is pretty simple. If you’re browsing HTTPS websites, you’re fine. Don’t visit sites with expired certificates (your browser will warn you about this), and maybe don’t go to shady parts of the internet on public connections. If you browse using a VPN, as you really should be doing in an ideal world, then you’re covered, as well. Both HTTPS and VPN browsing put another layer of encryption between you and a potential attacker. And if you’re browsing on a public network, make sure your computer sees that network in your operating system’s “Public Network mode,” which causes it to treat unexpected traffic more suspiciously.
Yes, this is a big deal, but no, it’s not the end of the world. Unlike when WEP, the previous wireless encryption protocol, was compromised, this can be patched. We likely won’t see the introduction of WPA3 or some other encryption as a result of this. WPA2 is over a decade old, so it wouldn’t be surprising to see something new soon, but this isn’t it. Keep your wireless devices updated and avoid public wireless signals for a while, and it’ll be fine.