This WPA2 KRACK attack means your WiFi is not secure – even though everyone thought it was

This newly reported flaw affects basically everybody – so here's what you should do.
Author:
Updated:
Original:

A bombshell new report says it doesn't matter how good your password is, or what other security settings you have – if you're using WiFi, it's possible for someone to spy on every single thing you do.

And it affects essentially every WiFi network being used, from your private home set-up to the one at your local coffee shop.

The discovery of this serious new issue comes from Mathy Vanhoef, a Belgian computer security researcher. Vanhoef published the findings Monday on a dedicated website, KRACKattacks.com.

The flaw lets people "read information that was previously assumed to be safely encrypted," Vanhoef wrote. "This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on." 

And the scope is potentially huge: "The attack works against all modern protected Wi-Fi networks," he said.

How it works

We're going to keep this part brief, because it gets very technical very quick.

It concerns the use of "WPA2," a proven method of protecting data on a network. (You've probably seen it when setting up WiFi at a new house or apartment.) WPA2 has been used to make WiFi connections secure for a decade now – it's the "modern standard," Consumerist explains, because it was thought to be well-protected.

The flaw Vanhoef discovered is in the core function of WPA2, during what's referred to as a "4-way handshake." The WiFi access point and the device that's connecting to it talk to each other to make sure credentials match. The device gets issued a new, fresh encryption key, which secures any data that gets sent over that connection (so web browsing, streaming, etc.).

But there's a way for an attacker to have the WiFi access point and your device redo part of that "handshake" process. It forces the device to take an already-used encryption key – not a fresh new one. That gives the attacker an opening to spy on any data that goes over the connection.

Here's a short demo video from Vanhoef (but heads-up, it's pretty technical):

Vanhoef refers to this as a KRACK attack, shorthand for "key reinstallation attacks."

Who does it affect?

Pretty much everyone.

Android, Apple, Windows and Linux are all vulnerable. And as mentioned above, it's not tied to any specific device or software – it's a problem within the way the WPA2 operates.

"If your device supports Wi-Fi, it is most likely affected," wrote Vanhoef.

That's billionsofdevices.

Just to be clear, you could have the greatest WiFi password ever known to humankind and it would make no difference.

This vulnerability doesn't use a password to access anything, and it doesn't seek out the password. In fact, it's the first attack on WPA2 that "doesn't rely on password guessing," according to Vanhoef.

"Changing the password of your Wi-Fi network does not prevent (or mitigate) the attack" he wrote. "So you do not have to update the password of your Wi-Fi network." 

A little bit of good news ... kind of

For an attacker to do this, they have to be within range of a WiFi network. So someone halfway across the world isn't going to be snooping around in your WiFi, monitoring you as you watch Stranger Things with your Stranger Things mug and toys before season 2 premieres.

Also, it's not easy. A computer novice won't be able to pull this off, with Vanhoef acknowledging some of the scenarios are "rather impractical" – but still warning the general strategy could certainly be abused.

Vanhoef said it's not known right now if this attack is being used out in the wild – which you can take as glass-half-full or glass-half-empty, depending on your world view.

So what should I do?

There's nothing immediately you can do to prevent this, outside of not using WiFi (but let's be honest, that's not going to happen). 

The best course of action? 

Update your laptop/phone/tablet every time it requests you to do so. Don't click "Remind me later" for two weeks like you normally would.

That's because there is a fix for this WPA2 flaw. Developers were notified of this problem back in July, Vanhoef said, and at least one (OpenBSD) has already released a patch. Microsoft put out its patch on Oct. 10, U.S. CERT says. Apple also has said a fix is coming.

Char.gd has a running list of vendors that have released a fix.

So update, update, update.

Or:

Next Up

Jaden McDaniels

Wolves lose to Magic on Cole Anthony's buzzer-beater

The Wolves blew a 20-point lead as the Magic defeated the Timberwolves on Wednesday night.

J.A. Happ

Twins sign veteran J.A. Happ to add to the rotation

The left-hander will get a one-year, $8 million deal from the Twins.

storm the capitol rally st. paul minnesota state capitol

BCA finds 'no criminal wrongdoing' among those at 'Storm the Capitol' rally

Inflammatory comments were made by speakers, but no charges will be brought.

Screen Shot 2021-01-18 at 12.27.04 PM

Man's vehicles crushed by hit-and-run driver weren't fully insured

The goal is to raise $25,000 to help the south Minneapolis resident.

Joe Biden

Key points from Joe Biden's first speech as POTUS

The 46th president called for unity at a time America is facing huge challenges.

coronavirus, covid-19

Here is Minnesota's COVID-19 update for Wednesday, January 20

The 111 ICU patients is the fewest in Minnesota since there were 109 COVID patients in intensive care on Oct. 1.

Klobuchar

Here's what Amy Klobuchar said at Joe Biden's inauguration

The Minnesota senator was one of the leader organizers of the inauguration.

covid-19, vaccine

All of this week's COVID vaccine pilot program appointments are filled

Nearly 6,000 Minnesotans who are 65 and older registered for appointments between noon Tuesday and Wednesday morning.

Lane kueng thao chauvin

Osterholm affidavit ahead of George Floyd trial warns of COVID worsening in March

Prosecutors want to delay the Chauvin trial due to a public health threat.

Related

2 major security flaws are affecting millions of phones, computers – here's what you should do

And you probably have a device that's at risk. Here's what you should do about it.

5 things you should take away from the Explore Minnesota Facebook page hack

What you should (and shouldn't) do to keep your accounts safe.

Facebook Messenger just made stalking your friends easier

Let your friends stare at you walking around in real-time for an hour.

Forever 21 says it was probably hit by a data breach

If you bought something there with a card, this might affect you.

Do you know when Uber is tracking your location?

We know apps collect data about us. But how much, and how is it being used?

Minnesota internet provider says it will never sell your browsing history

"We have never sold member web browsing history and have no plans to do so in the future," said the ISP's CEO.

New proposal: Internet companies should pay you if they use or sell your data

It's your data that's valuable – should you get compensated for it?