Why your Wi-Fi-connected device is vulnerable to hacks and what to do about it
Early Monday morning, university researcher Mathy Vanhoef launched a website detailing a new hack he discovered that essentially leaves all Wi-Fi connected devices vulnerable to cybercriminals.
A hacker can use the new attack technique, known as KRACK, to read information that was previously assumed to be safely encrypted, including credit card numbers, passwords, chat messages, emails, photos and more, Vanhoef wrote.
Any modern, protected Wi-Fi network is at risk, he said. Depending on the network configuration, hackers may also be able to inject and manipulate data, including malware or ransomware — a type of malicious software that will threaten to publish or block access to the victim’s data unless a ransom is paid.
The tech security world has been in a bit of an upheaval, especially since the vulnerabilities are in the encryption protocol itself and not individual devices, products or implementations. The vulnerability affects a core encryption protocol, or Wi-Fi Protected Access 2. WPA2 is basically a security protocol developed to secure wireless networks and help people keep their web data hidden.
A hacker can exploit the protocol’s weaknesses using Key Reinstallation AttaCKs (KRACKs) by tricking a victim into re-installing an encryption key that’s already been used. The “handshakes” between Wi-Fi routers and connecting devices use random and non-reusable strings of numbers, but a glitch in WPA2 means a hacker could replay the “handshakes” and cause the user to reinstall a number that’s in use.
Luckily, the hacker would need to be in physical proximity of the victim to be able to do so.
Vanhoef said the attack could be particularly serious for Android and Linux users and demonstrates it here.
What can I do?
Some manufacturers have started pushing out security updates patching up the vulnerabilities. Everything from routers to laptops and smartphones should be updated. Vanhoef doesn’t think a WPA3 is necessary.
“Luckily, implementations can be patched in a backward-compatible manner. This means a patched client can still communicate with an unpatched access point and vice versa. In other words, a patched client or access points sends exactly the same handshake messages as before and at exactly the same moments in time. However, the security updates will assure a key is only installed once, preventing our attacks. So again, update all your devices once security updates are available,” he wrote.
Patches probably won’t make it out to everyone because of the number of affected devices, but the U.S. Computer Emergency Response Team released an advisory listing vulnerable vendors, including Cisco, Google and Samsung, as well as others.
Google told Forbes they plan on patching affected devices in the coming weeks, and Microsoft confirmed it had rolled out security updates already.
“We have released a security update to address this issue. Customers who apply the update, or have automatic updates enabled, will be protected,” Microsoft said.
Other vendors are also working with customers to ensure any affected products are patched.
So when that annoying little notification pops up on your device suggesting a security update, don’t click “remind me later” today.