Researchers have found a major flaw in a protocol that protects the modern Wi-Fi. This security flaw potentially allows hackers to steal private photos, messages, credit card details and much more. This glitch is found in the security protocol WPA2 and is termed as a KRACK attack referring to the “key reinstallation attack”.
KRACK targets the third step in a four-way authentication “handshake” performed when your Wi-Fi client device attempts to connect to a protected Wi-Fi network. The encryption key can be resent multiple times during step three, and if attackers collect and replay those retransmissions in particular ways, Wi-Fi security encryption can be broken.
In simple terms this flaw will allow attackers to intercept and read all the sensitive/personal data which is being transferred over the network.
“The attack works against all modern protected Wi-Fi networks,” researcher Mathy Vanhoef wrote on a website outlining his findings.
“If your device supports Wi-Fi, it is most likely affected.”
This vulnerability affects all major modern devices and operating systems including Windows, Linux, Apple, Android, etc.
There are some mitigation factors as well to this threat. To begin with, any hacker will have to be physically on the same Wi-FI network as you, to exploit this vulnerability. It’s not like anyone sitting miles away can take advantage of this.
Secondly, if websites are using a second level of encryption- HTTPS- the hacker will not be able to grab the details unless the second level is also breached.
To sum up, it may sound like a weak exploitation but is as important while reviewing your threat levels. This may cause plenty of communication disruption, privacy attacks, non-secure resources on the network, especially with cheaper internet enabled devices with poor security measures.
The problem is patchable and the vendors were already warned back in July. Majorly, Android users are at a greater risk but fixes will be also available for the same. Though, it’s going to take some time to develop and roll out the patches amongst all the devices.
Until those updates appear, consumers can still take steps to safeguard against KRACK. The easiest thing would be to simply use a wired Ethernet connection, or stick to your cellular connection on a phone.
If you need to use a public Wi-Fi hotspot—even one that’s password protected—stick to websites that use HTTPS encryption. Secure websites are still secure even with Wi-Fi security broken. The URLs of encrypted websites will start with “HTTPS,” while unsecured websites are prefaced by “HTTP.”
Alternatively, you can hop on a virtual private network (VPN) to hide all of your network traffic. Don’t trust random free VPNs, though—they could be after your data as well.
The researcher said they didn’t know whether the vulnerability has been exploited by real-world attackers yet — but now that it has been made public, the chances of it happening seem likely to increase.
You can read more about the exploit at krackattacks