A devastating flaw in Wi-Fi’s WPA security protocol makes it possible for attackers to eavesdrop on your data when you connect to Wi-Fi. Dubbed KRACK, the issue affects the Wi-Fi protocol itself—not specific products or implementations—and works against all modern protected Wi-Fi networks. Which means that if your device uses Wi-Fi, KRACK likely impacts it.
Read on for what you need to know about the KRACK Wi-Fi vulnerability, from how it works to how to best protect yourself against it.
How does KRACK break Wi-Fi security?
KRACK (short for Key Reinstallation AttaCK) targets the third step in a four-way authentication “handshake” performed when your Wi-Fi client device attempts to connect to a protected Wi-Fi network. The encryption key can be resent multiple times during step three, and if attackers collect and replay those retransmissions in particular ways, Wi-Fi security encryption can be broken.
What devices are affected by KRACK?
If your device uses Wi-Fi, it’s likely vulnerable to the KRACK Wi-Fi security flaw to some degree, though some get it worse than others.
What happens when Wi-Fi security is broken?
For starters, the attacker can eavesdrop on all traffic you send over the network. This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on.
How to protect yourself from KRACK’s Wi-Fi flaw
Keep your devices up to date! Given the potential reach of KRACK, expect new patches to come quickly from major hardware and operating system vendors. Microsoft says a security patch is already incoming for Windows PCs.
Until those updates appear, consumers can still take steps to safeguard against KRACK. The easiest thing would be to simply use a wired ethernet connection, or stick to your cellular connection on a phone. That’s not always possible though.
If you need to use a public Wi-Fi hotspot—even one that’s password protected—stick to websites that use HTTPS encryption. Secure websites are still secure even with Wi-Fi security broken. The URLs of encrypted websites will start with “HTTPS,” while unsecured websites are prefaced by “HTTP.”
And again, keep your security software up to date to protect against potential code injected malware.
Is my phone at risk?
KRACK is a different sort of attack than previous exploits, in that it doesn’t go after devices, it goes after the information you use them to send. So while the data stored on your phone is safe from hacking, whenever you use it to send a credit card number, password, email, or message over Wi-Fi, that data could be stolen.
So my router is vulnerable?
That’s closer, but still not totally accurate. It’s not the device that’s at risk, it’s the information, so the sites you visit that aren’t HTTPS are most vulnerable.
Oh, so I should change my Wi-Fi password then?
Well, you can, but it’s not going to stop the likelihood of attack. The exploit targets information that should have been encrypted by your router, so the attacker doesn’t need to crack your password to implement it. In fact, it has no bearing on the attack whatsoever.
So all devices are at risk?
Now you’re getting it. However, while any device that sends and receives data over Wi-Fi is at risk, the researchers who uncovered the attack said Android devices were more at risk than other mobile phones.
Great, I have an Android phone. But I’m running Nougat so I’m safe, right?
Unfortunately, no. Newer phones running Android 6.0 or later are actually more at risk since there is an existing vulnerability in the code that compounds the issue and makes it easier to “intercept and manipulate traffic.”
So is my iPhone safe?
Safer than Android, but still not entirely safe.
What about my Mac?
The researchers who found the bug initially had a harder time cracking macOS, but subsequent attacks were easier to implement.
And Windows PCs too?
Yup, same deal, but Microsoft said in a statement that it has a security update to address this issue is incoming.
I run Linux. I’m impenetrable to attack, right?
Not quite. Researchers actually found that Linux machines were the most vulnerable desktop devices, with a similar bug to the one found in the Android code.
So should I turn off Wi-Fi?
That’s probably not a viable option for most people, but if you’re completely panic-stricken, then the only way to be completely safe is to avoid using Wi-Fi until you know your router has been patched.
OK, I’m not doing that. What else can I do?
Right now, all you can do is wait. Google has already confirmed that it is aware of the issue and will be distributing a patch, and Apple and Microsoft will presumably do the same, as well as Linux purveyors. So keep checking for updates and install them when they arrive.
Your Digital Life Simplified!
www.ezDigitalLife.com | (800) 669-2022