New WiFi connection vulnerability discovered. Here’s what you need to know about “KRACK”

Posted on October 16th, 2017 by in Security.

wifi vulnerability vpn krack

 

Security researchers have discovered a vulnerability in the WPA2 protocol which allows for virtually any WiFi network to be hacked, potentially leaking sensitive data.

When you connect to a password protected WiFi network, you probably think that your connection, and all the data you transfer over WiFi, is safe. Unfortunately, researchers at the KU University of Leuven (Belgium) have discovered a vulnerability which makes it possible to compromise virtually any modern wireless network. The attack is a Key Reinstallation Attack (KRACK for short) targeting the WPA2 protocol which is used in almost all WiFi networks.

Who is impacted?

KRACK is a particularly devastating vulnerability because it targets a weakness in the WiFi standard itself. This means the problem is not isolated to specific vendors or products, but literally every single modern, WiFi capable device. In other words, every single WiFi network and WiFi capable device is potentially impacted. Basically, if you have a WiFi capable device and you use WiFi, you are vulnerable.

What can an attacker steal?

A compromised WiFi network can allow an attacker to steal a wide variety of sensitive information. Compromising the connection between a router and your device can jeopardize private information such as credentials, credit card numbers, chat messages, documents, emails, photos, and anything else that is transferred over the network. Moreover, attackers can also manipulate information transmitted to a potential victim by injecting malicious code or ransomware into websites.

How does KRACK work?

KRACK is a vulnerability in WPA2, the protocol ensuring an encrypted connection established between a WiFi access point and a connected device. In order to connect to a private WiFi network, a device and a router communicate through what is called a four-step cryptographic handshake. By exchanging pre-set credentials (e.g. WiFi password) and mutually agreeing to a one-time use encryption key, WiFi devices can connect to a WiFi router securely.

However, by manipulating the cryptographic messages exchanged during the handshake, it is possible to force WPA2 to re-use the one-time use encryption key over and over again. This introduces a weakness which allows the encryption to be broken, allowing the attacker to intercept and decrypt the transmitted information. In order to perform this attack, the attacker must be within range of the target WiFi network. The full technical description of the attack can be found here.

How to protect your WiFi connection

Because this is a newly discovered vulnerability, there are still no updates you can install to protect your devices against the KRACK attack. However, there are still several ways that you can protect yourself.

First, you can use a VPN service. A VPN (Virtual Private Network) establishes an encrypted tunnel between your computer or mobile phone and the VPN server. This encrypted tunnel makes it impossible for an attacker to view your internet traffic, even if you are connected to a vulnerable WiFi network. In fact, a VPN can even protect you internet traffic if you are connected to a public/unprotected network. By using a VPN, you render yourself immune to KRACK.

Proton VPN provides a completely free VPN service which can be used to protect your internet traffic, even if you are connected to a hacked WiFi network.

In addition to using a VPN, there are few other safety tips to stay safe on WiFi:

  • Always visit sites with SSL encryption. Make sure all the sites you visit are HTTPS instead of just HTTP. HTTPS sites have an additional layer of encryption which can protect your traffic even if the WiFi network is compromised. For example, visit https://protonvpn.com and not http://protonvpn.com
  • Install the latest software updates. Currently, there are no patches available for KRACK, so you should consider using a secure VPN service. However, most software providers like Microsoft Windows, iOS, Android, etc, will eventually release patches. Keeping your operating system patched and up to date will help to protect against KRACK in the future.

Until software updates are released to patch this vulnerability, the only way of staying safe against a key installation attack on your devices is to secure them with a strong VPN connection. Given the fact that VPN services such as Proton VPN are completely free, we recommend just using a VPN, especially since it brings other benefits such as protecting your privacy.

You can get your free Proton VPN account by signing up here.
Afterward, you can download free VPN here.

Proton was founded by scientists who met at CERN and had the idea that an internet where privacy is the default is essential to preserving freedom. Our team of developers, engineers, and designers from all over the world is working to provide you with secure ways to be in control of your online data.

12 comments

  1. Guardian

    If a WiFi Network’s WPA2 is KRACK’d and the targeted user is not utilizing the VPN connection and uses a web-browser to log-in to the web-based ProtonMail server, does this mean that an attacker could view the data in the account?
    ~Thank You

  2. Gerald Gunia

    How do i go about using proton as my primary email client on a laptop that has none??? i would like step by step procedures as i am somewhat new to that process Regards

  3. Irina M

    You can use Proton Bridge to add ProtonMail to any email client. If your laptop has none, you can download Thunderbird from Mozilla and add your ProtonMail account there. Learn more about Bridge here: https://protonmail.com/bridge/

    You can get Mozilla Thunderbird here: https://www.mozilla.org/en-US/thunderbird/

  4. Please address comment below

    Aphids Ecology’s comment below worries me. Is ProtonVPN only 24bit?

  5. Tom

    Has Apple released iOS or MacOS update to patch this KRACK vulnerability? I already have a Proton Plus account, but would be interested to know if such a critical gap is still being neglected. Thank you.

  6. Irina M

    Yes, Apple patched the vulnerability.

  7. Ronald Albert

    Will this proton vpn effect my internet speed? can I use any browser for the internet?

  8. ard

    the statement of no patches available, should be rectified already
    Ubuntu (Linux distribution) released 16 Oct. a patch to protect against this vulnarability
    with friendly regards
    ard

  9. Dude

    As obvious as it is, it could be worth mentioning that there’s another way of staying safe against KRACK. And that is Ethernet.

  10. Simon

    Where is the ethernet jack on my iPhone?

  11. Patrick Schroeder

    How do you use Ethernet with a phone?

  12. Bob

    Would like to hear why I should switch from my current (IPVanish) to your product.
    Thank you

Comments are closed.

Secure
your internet

Get Proton VPN
Get Proton VPN

For customer support inquiries, please submit the following form for the fastest response:
Support Form

For all other inquiries:
contact@protonvpn.com


-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: OpenPGP.js v4.10.10
Comment: https://openpgpjs.org

xsBNBFiYeeIBCACpwuYcTsACyjQaqY3tOUonokamGZf3VDuLvcA9nQnu4vlB
n1RFFUJa5Pmf2yZ9EjJFSldTl5lreE3tFf53CcZ9wKa1R6aMnN/0VqURJho0
ZTqevQlCvuJ9kKHkDck3Em0/1WWnhDJgabp+fOa5HAHoAvcNy5gVPuexTT/N
wp6QcfB7w+qFhf73s0bcSn5RC+FAYlQxZVFhFtA7/7LthBVatDJrYLYP9XJd
zOZqz9AX0XZwKal25RcVeGHkNKgloo0bTgro4D88MR7saqXFHTRhy3+Wss7c
uqrh0uIkVmqtadoK/rAbqOyFXQ2DlvSMVrEMLUvwlZbC0taqcKDfNA+FABEB
AAHNLWNvbnRhY3RAcHJvdG9udnBuLmNvbSA8Y29udGFjdEBwcm90b252cG4u
Y29tPsLAfwQQAQgAKQUCWJh54wYLCQcIAwIJEN4dfnhhw11TBBUIAgoDFgIB
AhkBAhsDAh4BAAoJEN4dfnhhw11T6PwIAKgIHTUaEcCFQ5WfmwGpdhRgFe7H
gnHR8UOFPrRKnbCOQgTVPGwCFt8UVFhEgbmtroThU89DpxFSYUOD6nZ2k1X3
X4Q9OsItFUUuhPtLJrkz5ghtZLmsAH/edTRbVU1Ew1E8KbylLFI1J5yId7zR
GdnaTXv/E7P3po5X/b08TFAhXSyYYUbMeQuthbJajtpFygr53lm47cOWa4N8
udqLhmpheaQj04DuqYXOGC08JQn+XbHzhFl5Yvlt9Idk8+7c2UJ0qgWKQ5ZV
mquRAw5HDCQM5OqF1MoImDxOH+tK3PUlvFDsLZ1WPEOHK/EN12sPBx0x1R04
fcPTPdbMwgISGM3OwE0EWJh54gEIALqhrLUpvarPc0nkuHpyJC/MsrIDPLuV
qMc49tgjgDBsyIKJFEP9qCnkSOEixaFi+nTljUSpkHGR+PvEGecmcOdW6djN
QGxon/nwBT9d8HbtxJesaEIzwRAxmqQW9MqNq4UsfNQ0VvUYqV9wEbYfdDT/
jZfz9N0hjFELF1sg3UPcCRijhf162bp+rLQdO9vWVUbOdMQvsM/kyUJ6JMXR
xUtyKC05ddxii2SMr4XUW45ostPbxJybOF5oSZpEb1EIlrTLLPAe/498XlBW
hpRAPe+9ZfNs7drMvUEFnnOXahrXAuaaZpyaS/XBaloqSb1+v2AkUep3dbSF
PaRtbXRMS+kAEQEAAcLAaAQYAQgAEwUCWJh54wkQ3h1+eGHDXVMCGwwACgkQ
3h1+eGHDXVMZ4Qf4hu5N8/uYNDqJMFRIWSCpPGxmyIVXGARG4hgR8gwPZY9K
fReAUndX3uODBNIgZU7I3YntawU1DlP6GpP6yyR/8lfUMNCAXPDmd+zTFYIJ
UDHD8sw2GRrFVzFOKUpAapWFOI4XjSMP2UiK4HgrpUjAhe1wSaa7nEjtAuYT
zFx1QSuQD1iYcOF/FAm7EuhBIfWITjYAobGM6gonPbp3IPHM52rUbulllcdV
vCLs+blcyiVCGZlNcmlg3eibAJJL19TQLqT2DbQvQ/SyVBJGjoT+y4TTRtmZ
cebEjt2KJcc4x2lzPq3z2KJNyJTOTMB+aYD9Ma9IObDds+M/+5XDWi7f
=ueTT
-----END PGP PUBLIC KEY BLOCK-----

You can also Tweet to us:
@ProtonVPN