So it turns out your Wi-Fi is vulnerable to hackers. A newly released research paper dropped a pretty sizable security bomb: The security protocol protecting most Wi-Fi devices can essentially be bypassed, potentially allowing an attacker to intercept every password, credit-card number, or super-secret cat pic you send over the airwaves.
So what, if anything, can you do about all this — other than go back to the Ethernet cable-laden Dark Ages? While at present there is no all-encompassing way to protect your Wi-Fi, there are a few steps that you can take to mitigate your risk. And you definitely should.
First, let’s take stock of just how bad things are. Researcher Mathy Vanhoef, who discovered the vulnerability, explains that it allows for an attack that “works against all modern protected Wi-Fi networks.” That means your home, office, and favorite cafe are all potentially at risk.
At issue is WPA2 (the standard Wi-Fi security protocol) itself — not how it’s being implemented. Vanhoef realized that he could “[trick] a victim [device] into reinstalling an already-in-use key,” subsequently allowing transmitted information to “be replayed, decrypted, and/or forged.”
Vanhoef has dubbed this method the KRACK attack, which stands for “ey einstallation ttas.”
Importantly, the researcher makes no claim that bad actors are currently exploiting the flaw that he discovered. (That doesn’t necessarily mean they’re not, though.)
“We are not in a position to determine if this vulnerability has been (or is being) actively exploited in the wild,” he writes on his website. So while no one may at present be using this method to snoop on your web browsing, it doesn’t mean someone hasn’t in the past or won’t in the future. In other words, it’s past time to take some precautionary measures.
What to do
Unfortunately, our options right now aren’t great. You can make sure your router configuration is up to date, and you should, but even that may not protect you from KRACK. Oh, and changing your Wi-Fi password won’t do anything to help. However, there is some good news. Notably, the problem can be fixed. That means you shouldn’t have to actually replace your vulnerable devices.
“[Luckily] implementations can be patched in a backwards-compatible manner,” writes Vanhoef. “This means a patched client can still communicate with an unpatched access point, and vice versa. […] However, the security updates will assure a key is only installed once, preventing our attacks. So again, update all your devices once security updates are available.”
Responsible device manufacturers around the world are scrambling to issue patches, and security researcher Kevin Beaumont notes a Linux patch already exists. Other companies are following suit, and Owen Williams of the Charged newsletter has compiled a list of which tech companies are on top of this mess. When patches do become available, you need to update your Wi-Fi-connected gadgets ASAP.
But wait, there’s another reason you can take a deep breath. Beaumont argues that the level of sophistication required to pull off KRACK on certain devices means the average consumer doesn’t have to freak out right now. Unless they’re running Android, that is.
“The attack realistically doesn’t work against Windows or iOS devices,” he explains. “The Group vuln is there, but it’s not near enough to actually do anything of interest. There is currently no publicly available code out there to attack this in the real world — you would need an incredibly high skill set and to be at the Wi-Fi base station to attack this. Android is the issue, which is why the research paper concentrates on it.”
So… we’re OK then?
The general consensus coming out of all this appears to be that yes, everything is screwed, but (for now) devices are vulnerable only to really skilled people, and most of those devices can also be protected. Basically, today is not the day that Wi-Fi died. If major providers scramble and release patches (some of which already have), and people actually update their devices, we’ll mostly be OK.
Sure, some manufacturers won’t issue fixes, and some consumers won’t update, but that’s the ongoing story of online security.
This is a good opportunity to make sure that your router’s settings are up to date (which, remember, at present still means it’s vulnerable to KRACK), and to set daily reminders to check if the manufacturer of your smartphone, laptop, desktop, tablet, router, smart TV, etc., have released a fix for KRACK. Because the responsible ones will, and when they do it will mean that you can go back to browsing the web one paranoid click at a time.
In the meantime, consider digging out that old Ethernet cable for any sensitive online transactions — your credit card number will thank you.