There’s a Huge WiFi Security Hole, But Don’t Panic
Update your phone as soon as possible, but don’t freak out about KRACK, the WiFi security issue with a very scary name.
The internet is abuzz with a new set of serious security issues impacting how much of the world secures its wi-fi networks. On Monday, researchers publicly disclosed ‘KRACK’, vulnerabilities that, in certain circumstances, could allow hackers to tamper with a hell of a lot of wi-fi connections, and then intercept passwords, credit card information, and all of the good stuff cybercriminals might be after.
But don’t panic—really. Although the bugs are concerning, general home users may not have too much to worry about, especially if they follow some established security advice. It’s the simple stuff you probably already do, too, like making sure you use websites with extra encryption when entering sensitive data.
In fact, the fix for many will be as simple as updating the software on your phone, if one is available.
“For those using a pre-shared password—the cliche "what is the WiFi password?"—this is a non-issue,” Nicholas Weaver, a senior researcher at the International Computer Science Institute at UC Berkeley, told The Daily Beast.
KRACK—or Key Reinstallation AttaCK—concerns WPA2, a protocol for protecting modern WiFi networks. Importantly, the issue is within the wi-fi standard itself, and not a particular faulty product from a vendor, a website spelling out the attack reads.
Basically, KRACK tricks your device into reinstalling an encryption key, meaning an attacker can then intercept the victim’s data. Mathy Vanhoef from Belgian university KU Leuven discovered the issues, and notes that they have not spotted the attack being used in the wild
But, there are several key caveats for the attack.
First, like with other WiFi based issues, the attacker or their tools need to be within range of the WiFi network itself. Typically, someone is not going to be able to just KRACK your home network or devices from very far away.
Secondly, websites increasingly use HTTPS—the protocol behind that green padlock in your address bar—to add another layer of encryption between your phone or computer and the website’s server. This means that even if someone is sniffing connections from your device out onto the WiFi network, they probably can’t see the content of what you’ve sent, like your password or credit card number.
It’s worth bearing in mind though that not all apps or programs may handle HTTPS properly, if at all—as the KRACK website highlights, banking apps, for example, have failed to securely handle sensitive information.
You may want to use a virtual private network, or VPN, to route all of your traffic through. This adds yet another protective layer onto your connection, and is often recommended for browsing while on a public, unsecured network. If you are going to do this, however, just don’t use a free one—more often than not, those sorts of networks are going to try and monetize you somehow.
In Weaver’s view, KRACK is only really of concern to business networks, and not normal home users. Hackers can already try and churn through all possible passwords for a home WiFi network and break in that way.
For larger scale networks, however, KRACK could be a big deal “if the enterprise in question also treats the wi-fi as a trusted network on-par with its internal wired network,” Weaver said. In other words, businesses may not want to send sensitive data across their WPA2 connections—as they might do for internal networks—now that KRACK is a known attack.
Finally, even though the KRACK issues are in the WPA2 protocol itself, implementations of it can be patched, a Q&A on the KRACK website notes. These fixes, which should roll out across devices soon—and some already have—will make sure that an encryption key is only installed once, stopping the newly discovered attack.
So update your phone, for example, as soon as you can. That may be an issue for certain, non-Google branded Android devices, which have trouble receiving timely security fixes in general, though.
“Just update your clients and be happy,” Weaver said.