You might’ve heard word going around that WPA2, the encryption method used to secure just about every wireless network around the world, has been hacked. And indeed, Belgian security researchers have discovered a vulnerability in the WPA2 protocol that theoretically puts just about every wireless router out there at risk. So, is this the next big hack? Do you need to worry about it?
What exactly happened?
The KRACK security exploit was uncovered by security researcher Mathy Vanhoef at Belgian university KU Leuven, and stands for Key Reinstallation Attack. In short, it basically uses the handshake process that occurs when a device tries to join a protected network as the way in. After your device and the network make the handshake and verify the password, the encryption key for your connection is negotiated by the devices. This back-and-forth can be captured and used by an attacker. They should be single-use communications, but wireless connections necessarily have to allow for packet drops, so the devices have to allow those strings to be re-sent, and that’s where the strings can be reused by the attacker to listen in on connections or inject malware.
The hack, Vanhoef says, could “be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. The attack works against all modern protected Wi-Fi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites.”
Who is vulnerable and how dangerous is it?
At the moment, pretty much everyone. The vulnerability is in the core of the WPA protocol, so any device with WPA-compliant software, which includes just about any router, computer, or smartphone, is potentially vulnerable. This is different from something like a database breach at, for example, a credit reporting company, though, so don’t go unplug your home from the grid just yet. Where that situation is akin to someone robbing a bank or something like that, this is more like someone breaking into your house. A bump key might theoretically be able to open any standard tumbler lock it fits into, but someone actually has to come to your house and use it for it to work. Similarly, the KRACK isn’t something someone is going to just unleash on the world and suddenly all our browser windows will be replaced with ASCII skulls.
But because this can affect any WPA-encrypted network, it’s good to be wary for a while when connecting to public networks. Your home network could theoretically be compromised, but that’s going to be a much less interesting target for an attacker than a coffee shop or McDonald’s or something like that.
How can we protect ourselves?
There are two ends to any connection in this case: the network, and the user device. Newer routers can be, and likely will be, patched. You can check with your router’s vendor for that, when it comes to your home network. Public networks are a tougher question, because that requires the owners of those networks to actually update them, and that’s not always high on the priority list for Ron’s Coffee Shop.
The bright side to this is that it can be entirely mitigated on the client side of things. Even on routers that haven’t been patched, an updated OS will do the job, and that will likely be taken care of before very long. Microsoft, for example, has already issued a security update for the hack, and Linux patches are already rolling out. If you don’t have automatic updates enabled, a quick Windows Update should clear up the issue. It’s likely that Apple and Google are already working on the issue as well. The toughest part of this will be patching the many various versions of Android out there across different manufacturers and carriers.
In the meantime, protecting yourself is pretty simple. If you’re browsing HTTPS websites, you’re fine. Don’t visit sites with expired certificates (your browser will warn you about this), and maybe don’t go to shady parts of the internet on public connections. If you browse using a VPN, as you really should be doing in an ideal world, then you’re covered, as well. Both HTTPS and VPN browsing put another layer of encryption between you and a potential attacker. And if you’re browsing on a public network, make sure your computer sees that network in your operating system’s “Public Network mode,” which causes it to treat unexpected traffic more suspiciously.
Yes, this is a big deal, but no, it’s not the end of the world. Unlike when WEP, the previous wireless encryption protocol, was compromised, this can be patched. We likely won’t see the introduction of WPA3 or some other encryption as a result of this. WPA2 is over a decade old, so it wouldn’t be surprising to see something new soon, but this isn’t it. Keep your wireless devices updated and avoid public wireless signals for a while, and it’ll be fine.
The Galaxy S20 Ultra's Space Zoom camera is amazing and a bit creepy
The Galaxy S20 Ultra supports up to 100X zoom, which Samsung calls Space Zoom, but is it any good? Can a phone really product usable photos at 100x zoom? We've got our Galaxy S20 Ultra already so join us to find out!
Win an iPhone, iPad and Apple Watch with the Reader's Choice giveaway!
What's the best phone of 2019? Is it the iPhone 11 Pro, Pixel 4 or OnePlus 7T? What about the best laptop, games console, tablet and more? Vote NOW in the Reader's Choice awards and win BIG in time for the holidays!
Here are the best products from IFA 2019!
Here are the products announced at IFA 2019 that were worthy of our Best of IFA 2019 awards. Also featuring MrMobile's single best product at the show!
Streamline your veggie prep with the best salad spinners
No more excuses for skipping out on salads because they take too much work. These salad spinners will shorten your prep time for one or many servings at once.