Most modern devices that use WiFi make use of a security protocol called WPA2. Basically you enter a password and you can connect to the network. But what you don’t see is how that password is just the first step in securing your connection. Once it’s entered, your phone, tablet, laptop, or other device negotiates a “4-way handshake” with a WiFi access point to establish an encryption key that’s designed to keep anyone from spying on your data.
But a team of security researchers have figured out how to spy on it anyway.
They’ve discovered a vulnerability in that 4-way handshake that can be exploited using key reinstallation attacks (or KRACKs).
How it works
Basically, the hack tricks a system into retransmitting the same encryption key multiple times rather than generating a new one… and then using that encryption key to intercept data.
That means an attacker could potentially spy on you and steal sensitive data such as passwords or credit card numbers. Under some circumstances, an attacker could also inject malware including spyware or even ransomware into a website you’re visiting.
You can find more details about how the vulnerability can be exploited at KRACKattacks.com.
Scope of the issue
The good news, if there is any, is that an attacker will need to be within range of the WiFi access point to use a KRACK attack. So if you live in an isolated space, your home network might be reasonably safe. If you live in a densely populated area (I can currently see WiFi SSIDs for 10+ of my neighbors), you’re probably less safe. And then there are public WiFi spots like coffee shops and airports.
Now for the really bad news: pretty much all modern WiFi hardware is vulnerable. The attack works against just about anything that uses WPA or WPA2 security.
And the most vulnerable devices are Android and Linux devices that use wpa_supplicant 2.4 or later, because the client will install an encryption key that’s all zeros rather than the real key. That makes it very easy to attack those devices.
Know what uses wpa_supplicant? Google Android 6.0 or later. That means about 41 percent of all Android devices are vulnerable to this version of the attack. Keep in mind, all Android devices that use WPA2 are vulnerable to the more general version of a KRACK attack. But if you’ve got a relatively recent Android device then it’s even easier for someone to hack into your connection.
As for what kind of internet traffic can be intercepted, it’s pretty much all of it. While interacting with websites or apps that use HTTPS encryption may offer some extra security, it can be bypassed in some situations allowing an attacker to spy on you while you’re using a mobile banking app, for example. Another example is shown in the video below, where a user trying to visit a website that would normally be protected by HTTPS is instead redirected to an insecure version.
Should I throw out my WiFi gear?
Nope. But you should probably be very careful about the networks you connect to and the sites you connect to for a while.
Security researcher Mathy Vanhoef discovered the vulnerability and says that it can be dealt with via a backward-compatible software patch that ensures an encryption key is never used more than once.
It’s likely that in the coming days, weeks, and months we’ll see updates rolled out for WiFi routers, phones, PCs, and other devices.
It takes two devices to get you connected: a client (like your PC or phone) and an access point (like a router). If at least one of those things is patched, you should be safe.
So if you’ve got an old router that rarely receives updates from the manufacturer, Vanhoef notes that you should be safe once your client-side devices are up to date. You might not need a security patch for your router, but you will most likely need the latest security updates from Microsoft, Apple, Google, or other operating system developers.
Update: Microsoft says a security update addressing the issue is already rolling out.
Update 2: Google also has a fix, which will roll out with its November security update… to all phones that actually get monthly security updates. It’s up to manufacturers to handle updates for most non-Nexus or Pixel devices.
Update 3: There’s a security patch for Debian Linux.
But if you’ve got an old router that doesn’t get security updates anymore, it’s probably a good idea to think about either upgrading or figuring out whether you can replace your router’s firmware with an open source solution like dd-wrt or openWrt, especially if you have other old WiFi-enabled gadgets in your home that are unlikely to receive official security patches anytime soon.
The Wi-Fi Alliance has issued a statement saying that “there is no evidence that the vulnerability has been exploited maliciously, and Wi-Fi Alliance has taken immediate steps to ensure users can continue to count on Wi-Fi to deliver strong security protections,” including requiring that devices be tested for the vulnerability as part of its certification process.