Skip to main content

This WPA2 KRACK attack means your WiFi is not secure – even though everyone thought it was

This newly reported flaw affects basically everybody – so here's what you should do.

A bombshell new report says it doesn't matter how good your password is, or what other security settings you have – if you're using WiFi, it's possible for someone to spy on every single thing you do.

And it affects essentially every WiFi network being used, from your private home set-up to the one at your local coffee shop.

The discovery of this serious new issue comes from Mathy Vanhoef, a Belgian computer security researcher. Vanhoef published the findings Monday on a dedicated website, KRACKattacks.com.

The flaw lets people "read information that was previously assumed to be safely encrypted," Vanhoef wrote. "This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on." 

And the scope is potentially huge: "The attack works against all modern protected Wi-Fi networks," he said.

How it works

We're going to keep this part brief, because it gets very technical very quick.

It concerns the use of "WPA2," a proven method of protecting data on a network. (You've probably seen it when setting up WiFi at a new house or apartment.) WPA2 has been used to make WiFi connections secure for a decade now – it's the "modern standard," Consumerist explains, because it was thought to be well-protected.

The flaw Vanhoef discovered is in the core function of WPA2, during what's referred to as a "4-way handshake." The WiFi access point and the device that's connecting to it talk to each other to make sure credentials match. The device gets issued a new, fresh encryption key, which secures any data that gets sent over that connection (so web browsing, streaming, etc.).

But there's a way for an attacker to have the WiFi access point and your device redo part of that "handshake" process. It forces the device to take an already-used encryption key – not a fresh new one. That gives the attacker an opening to spy on any data that goes over the connection.

Here's a short demo video from Vanhoef (but heads-up, it's pretty technical):

Vanhoef refers to this as a KRACK attack, shorthand for "key reinstallation attacks."

Who does it affect?

Pretty much everyone.

Android, Apple, Windows and Linux are all vulnerable. And as mentioned above, it's not tied to any specific device or software – it's a problem within the way the WPA2 operates.

"If your device supports Wi-Fi, it is most likely affected," wrote Vanhoef.

That's billionsofdevices.

Just to be clear, you could have the greatest WiFi password ever known to humankind and it would make no difference.

This vulnerability doesn't use a password to access anything, and it doesn't seek out the password. In fact, it's the first attack on WPA2 that "doesn't rely on password guessing," according to Vanhoef.

"Changing the password of your Wi-Fi network does not prevent (or mitigate) the attack" he wrote. "So you do not have to update the password of your Wi-Fi network." 

A little bit of good news ... kind of

For an attacker to do this, they have to be within range of a WiFi network. So someone halfway across the world isn't going to be snooping around in your WiFi, monitoring you as you watch Stranger Things with your Stranger Things mug and toys before season 2 premieres.

Also, it's not easy. A computer novice won't be able to pull this off, with Vanhoef acknowledging some of the scenarios are "rather impractical" – but still warning the general strategy could certainly be abused.

Vanhoef said it's not known right now if this attack is being used out in the wild – which you can take as glass-half-full or glass-half-empty, depending on your world view.

So what should I do?

There's nothing immediately you can do to prevent this, outside of not using WiFi (but let's be honest, that's not going to happen). 

The best course of action? 

Update your laptop/phone/tablet every time it requests you to do so. Don't click "Remind me later" for two weeks like you normally would.

That's because there is a fix for this WPA2 flaw. Developers were notified of this problem back in July, Vanhoef said, and at least one (OpenBSD) has already released a patch. Microsoft put out its patch on Oct. 10, U.S. CERT says. Apple also has said a fix is coming.

Char.gd has a running list of vendors that have released a fix.

So update, update, update.

Or:

Next Up

FWDqyh6UEAENgIG

80 mph winds, large hail possible with severe storms in MN

A severe thunderstorm watch is in effect for much of the state until 3 a.m. Saturday.

290376311_5009722282489162_198055240351933487_n

30 people evacuated as flooding hammers small town

It's assumed that at least eight inches of rain fell in Randall, with more heavy rain expected Friday night into Saturday morning.

Intersection in Rochester.

Boy dies in motorcycle crash in Rochester

Police are investigating as of Friday afternoon.

Tab2FileL (13)

Numerous severe storms likely in Minnesota Friday night

Watch the video for the full details with meteorologist Sven Sundgaard.

court room

Teen pleads guilty in shooting death of 15-year-old girl in Columbia Heights

Damico Jamal-Tokyo High will receive a sentence in juvenile court, along with an adult prison sentence.

Screen Shot 2022-04-25 at 11.00.01 AM

Walz wants to use surplus money to send direct payments to Minnesotans

It's a renewed effort from a previous proposal from Walz and Lt. Gov. Peggy Flanagan's supplemental budget in January.

Ron Johnson

Jan. 6 committee says aide for WI senator tried to give fake elector info to Pence

The attempt was discovered through text messages in the ongoing public hearing held by the Jan. 6 select committee.

Stock U of M sign

Minnesota state colleges boosting tuition again by 3.5%

The Minnesota State system's Board of Trustee's approved the increase Wednesday.

covid

Minnesota's COVID-19 update for Friday, June 24

The next daily update will be provided Monday, June 27.

Pro choice rally

Walz, Jensen react to historic Supreme Court reversal of Roe v. Wade

After voting to overturn Roe, conservative Justice Clarence Thomas has hinted contraception and same-sex marriage protections should follow.

16362 County Rd 81, Maple Grove, Minnesota - October 2021 (4)

2-year-old killed in crash on County Road 81 in Maple Grove

The crash occurred Thursday evening on County Road 81.

police tape

BCA issues new details about St. Michael standoff, shooting

New details say a St. Cloud police officer struck the suspect with gunfire.

Related

2 major security flaws are affecting millions of phones, computers – here's what you should do

And you probably have a device that's at risk. Here's what you should do about it.

5 things you should take away from the Explore Minnesota Facebook page hack

What you should (and shouldn't) do to keep your accounts safe.

Facebook Messenger just made stalking your friends easier

Let your friends stare at you walking around in real-time for an hour.

Forever 21 says it was probably hit by a data breach

If you bought something there with a card, this might affect you.

Do you know when Uber is tracking your location?

We know apps collect data about us. But how much, and how is it being used?

Minnesota internet provider says it will never sell your browsing history

"We have never sold member web browsing history and have no plans to do so in the future," said the ISP's CEO.

New proposal: Internet companies should pay you if they use or sell your data

It's your data that's valuable – should you get compensated for it?