Security researchers have discovered a vulnerability in the WPA2 protocol which allows for virtually any WiFi network to be hacked, potentially leaking sensitive data.
When you connect to a password protected WiFi network, you probably think that your connection, and all the data you transfer over WiFi, is safe. Unfortunately, researchers at the KU University of Leuven (Belgium) have discovered a vulnerability which makes it possible to compromise virtually any modern wireless network. The attack is a Key Reinstallation Attack (KRACK for short) targeting the WPA2 protocol which is used in almost all WiFi networks.
Who is impacted?
KRACK is a particularly devastating vulnerability because it targets a weakness in the WiFi standard itself. This means the problem is not isolated to specific vendors or products, but literally every single modern, WiFi capable device. In other words, every single WiFi network and WiFi capable device is potentially impacted. Basically, if you have a WiFi capable device and you use WiFi, you are vulnerable.
What can an attacker steal?
A compromised WiFi network can allow an attacker to steal a wide variety of sensitive information. Compromising the connection between a router and your device can jeopardize private information such as credentials, credit card numbers, chat messages, documents, emails, photos, and anything else that is transferred over the network. Moreover, attackers can also manipulate information transmitted to a potential victim by injecting malicious code or ransomware into websites.
How does KRACK work?
KRACK is a vulnerability in WPA2, the protocol ensuring an encrypted connection established between a WiFi access point and a connected device. In order to connect to a private WiFi network, a device and a router communicate through what is called a four-step cryptographic handshake. By exchanging pre-set credentials (e.g. WiFi password) and mutually agreeing to a one-time use encryption key, WiFi devices can connect to a WiFi router securely.
However, by manipulating the cryptographic messages exchanged during the handshake, it is possible to force WPA2 to re-use the one-time use encryption key over and over again. This introduces a weakness which allows the encryption to be broken, allowing the attacker to intercept and decrypt the transmitted information. In order to perform this attack, the attacker must be within range of the target WiFi network. The full technical description of the attack can be found here.
How to protect your WiFi connection
Because this is a newly discovered vulnerability, there are still no updates you can install to protect your devices against the KRACK attack. However, there are still several ways that you can protect yourself.
First, you can use a VPN service. A VPN (Virtual Private Network) establishes an encrypted tunnel between your computer or mobile phone and the VPN server. This encrypted tunnel makes it impossible for an attacker to view your internet traffic, even if you are connected to a vulnerable WiFi network. In fact, a VPN can even protect you internet traffic if you are connected to a public/unprotected network. By using a VPN, you render yourself immune to KRACK.
ProtonVPN provides a completely free VPN service which can be used to protect your internet traffic, even if you are connected to a hacked WiFi network.
In addition to using a VPN, there are few other safety tips to stay safe on WiFi:
- Always visit sites with SSL encryption. Make sure all the sites you visit are HTTPS instead of just HTTP. HTTPS sites have an additional layer of encryption which can protect your traffic even if the WiFi network is compromised. For example, visit https://protonvpn.com and not http://protonvpn.com
- Install the latest software updates. Currently, there are no patches available for KRACK, so you should consider using a secure VPN service. However, most software providers like Microsoft Windows, iOS, Android, etc, will eventually release patches. Keeping your operating system patched and up to date will help to protect against KRACK in the future.
Until software updates are released to patch this vulnerability, the only way of staying safe against a key installation attack on your devices is to secure them with a strong VPN connection. Given the fact that VPN services such as ProtonVPN are completely free, we recommend just using a VPN, especially since it brings other benefits such as protecting your privacy.