On Monday, Mathy Vanhoef, a Belgian researcher at KU Leuven, discovered a critical weakness in WPA2, a security protocol used to protect all modern Wi-Fi networks and devices around the world.
The technique can be used by an attacker to gain access to encrypted information being sent across the network, allowing them to steal passwords, credit card details, and emails, along with anything else being transmitted (for example instant messages or photos).
As the vulnerability is in the security protocol itself, all modern Wi-Fi networks and Wi-Fi enabled devices are likely to be affected.
So what is WPA2? The acronym stands for Wi-Fi Protected Access, with WPA2 being the second iteration of the widely used protocol. It provides each device connecting to a network with a unique encryption key that is used to scramble any transmitted data. This means that even if the data is intercepted, it can’t be read by an attacker.
The attack, named KRACK (short for Key Reinstallation Attack), works by first creating a malicious clone of the victim’s network and forcing their devices to connect to the internet through it. This allows the attacker to intercept all the encrypted transmitted data.
The attack then exploits a vulnerability in the WPA2 protocol to force the device to either repeatedly re-use the same encryption key (the sequence of digits used to scramble the transmitted information), or to use a specific, very weak encryption key, making it easy for the attacker to decrypt and read all of the web traffic going to and from the device.
In terms of what you can do to protect yourself, the most important thing is to update all of your devices (including your router and any other ‘peripheral’ wireless devices you may have, such as webcams/security cameras), as manufacturers are likely to be rolling out a security update to eliminate the vulnerability soon.
The other thing you can do is ensure you’re using HTTPS when browsing the web. This encrypts the data transferred between websites and your browser, and thus can protect your information even if your internet connection is compromised.
You can tell if you’re currently using HTTPS as your browser will show a small padlock logo next to the address bar.
To force your browser to use it all the time, you can install an extension called ‘HTTPS everywhere’, which is currently available for Chrome, Firefox and Opera, with a further variation called ‘SSL Always’ performing the same service on Safari.
Image: Glenn Carstens-Peters