Skip to main content
Updated:
Original:

This WPA2 KRACK attack means your WiFi is not secure – even though everyone thought it was

This newly reported flaw affects basically everybody – so here's what you should do.

A bombshell new report says it doesn't matter how good your password is, or what other security settings you have – if you're using WiFi, it's possible for someone to spy on every single thing you do.

And it affects essentially every WiFi network being used, from your private home set-up to the one at your local coffee shop.

The discovery of this serious new issue comes from Mathy Vanhoef, a Belgian computer security researcher. Vanhoef published the findings Monday on a dedicated website, KRACKattacks.com.

The flaw lets people "read information that was previously assumed to be safely encrypted," Vanhoef wrote. "This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on." 

And the scope is potentially huge: "The attack works against all modern protected Wi-Fi networks," he said.

How it works

We're going to keep this part brief, because it gets very technical very quick.

It concerns the use of "WPA2," a proven method of protecting data on a network. (You've probably seen it when setting up WiFi at a new house or apartment.) WPA2 has been used to make WiFi connections secure for a decade now – it's the "modern standard," Consumerist explains, because it was thought to be well-protected.

The flaw Vanhoef discovered is in the core function of WPA2, during what's referred to as a "4-way handshake." The WiFi access point and the device that's connecting to it talk to each other to make sure credentials match. The device gets issued a new, fresh encryption key, which secures any data that gets sent over that connection (so web browsing, streaming, etc.).

But there's a way for an attacker to have the WiFi access point and your device redo part of that "handshake" process. It forces the device to take an already-used encryption key – not a fresh new one. That gives the attacker an opening to spy on any data that goes over the connection.

Here's a short demo video from Vanhoef (but heads-up, it's pretty technical):

Vanhoef refers to this as a KRACK attack, shorthand for "key reinstallation attacks."

Who does it affect?

Pretty much everyone.

Android, Apple, Windows and Linux are all vulnerable. And as mentioned above, it's not tied to any specific device or software – it's a problem within the way the WPA2 operates.

"If your device supports Wi-Fi, it is most likely affected," wrote Vanhoef.

That's billionsofdevices.

Just to be clear, you could have the greatest WiFi password ever known to humankind and it would make no difference.

This vulnerability doesn't use a password to access anything, and it doesn't seek out the password. In fact, it's the first attack on WPA2 that "doesn't rely on password guessing," according to Vanhoef.

"Changing the password of your Wi-Fi network does not prevent (or mitigate) the attack" he wrote. "So you do not have to update the password of your Wi-Fi network." 

A little bit of good news ... kind of

For an attacker to do this, they have to be within range of a WiFi network. So someone halfway across the world isn't going to be snooping around in your WiFi, monitoring you as you watch Stranger Things with your Stranger Things mug and toys before season 2 premieres.

Also, it's not easy. A computer novice won't be able to pull this off, with Vanhoef acknowledging some of the scenarios are "rather impractical" – but still warning the general strategy could certainly be abused.

Vanhoef said it's not known right now if this attack is being used out in the wild – which you can take as glass-half-full or glass-half-empty, depending on your world view.

So what should I do?

There's nothing immediately you can do to prevent this, outside of not using WiFi (but let's be honest, that's not going to happen). 

The best course of action? 

Update your laptop/phone/tablet every time it requests you to do so. Don't click "Remind me later" for two weeks like you normally would.

That's because there is a fix for this WPA2 flaw. Developers were notified of this problem back in July, Vanhoef said, and at least one (OpenBSD) has already released a patch. Microsoft put out its patch on Oct. 10, U.S. CERT says. Apple also has said a fix is coming.

Char.gd has a running list of vendors that have released a fix.

So update, update, update.

Or:

Next Up

Tony Oliva

Tony Oliva and Jim Kaat are finally heading to Cooperstown

The Twins legends were elected to Baseball's Hall of Fame on Sunday night.

Tanner Morgan

Report: Gophers to play in Guaranteed Rate Bowl

The Gophers will reportedly head to Phoenix to take on West Virginia.

Adam Thielen

Winless Lions beat Vikings on final play of game

Adam Thielen also left early with an ankle injury

Payton Willis / Gopher Basketball

Gophers improve to 7-0 on Willis' late 3-pointer

The Gophers earned back-to-back road victories for the first time since January 2017.

Flickr - police lights squad siren - Edward Kimmel

Woman in critical condition after being shot in the head in St. Paul

Officers responded to the incident at around 2:45 a.m. Saturday.

Alexander Mattison

Vikings-Lions: 5 things you can count on

It's a great time for the Vikings to play the Lions.

covid

Omicron variant confirmed in Wisconsin man who traveled to South Africa

Five other cases have been confirmed and linked to a Wisconsin wedding.

Sharon Mollerus - duluth - snow plow car

Sunday snowstorm walloping MN's North Shore with huge totals

Just ridiculous snow totals expected the rest of Sunday.

Screen Shot 2021-12-05 at 6.49.03 AM

Saturday snow causes havoc on Twin Cities roads

There were countless spinouts and crashes across Minnesota.

Kirill Kaprizov

Wild win battle of NHL's hottest teams, extend winning streak to six

Kirill Kaprizov delivered a shootout winner to take down the Maple Leafs.

Related

2 major security flaws are affecting millions of phones, computers – here's what you should do

And you probably have a device that's at risk. Here's what you should do about it.

5 things you should take away from the Explore Minnesota Facebook page hack

What you should (and shouldn't) do to keep your accounts safe.

Facebook Messenger just made stalking your friends easier

Let your friends stare at you walking around in real-time for an hour.

Forever 21 says it was probably hit by a data breach

If you bought something there with a card, this might affect you.

Do you know when Uber is tracking your location?

We know apps collect data about us. But how much, and how is it being used?

Minnesota internet provider says it will never sell your browsing history

"We have never sold member web browsing history and have no plans to do so in the future," said the ISP's CEO.

New proposal: Internet companies should pay you if they use or sell your data

It's your data that's valuable – should you get compensated for it?