KRACK: that's the sound of Wi-Fi security breaking — here's what the latest big bug to be uncovered means for you.
Earlier today, researcher Mathy Vanhoef from Belgian university KU Leuven revealed a serious flaw in the encryption that secures the connection between wireless access points and the devices connect to them, leaving Wi-Fi connections at risk of being snooped on and worse.
If you read no further, there's one thing you need to do: update your devices and keep them updated.
Patches are already in the works and in some cases already rolled out to devices that solve this particular problem, and keeping software and devices up to date is a good security habit regardless of the bug in question.
Read on for more details on what KRACK is and what it means for you, according to a trio of security experts: Tarah Wheeler, cybersecurity fellow at New America and principal security advisor at Red Queen Technologies; Jarno Niemelä, senior researcher at F-Secure Labs; and Bob Rudis, chief security data scientist at Rapid7.
What is KRACK?
To start, KRACK stands for Key Reinstallation Attack — security researchers like dramatic sounding names for the flaws they find. Nicknames aside, KRACK is a flaw in WPA2, a Wi-Fi network protection standard that's used in pretty much all connected devices.
When your phone connects to a Wi-Fi connection — such as in Starbucks or via your home router — the network and your device do a handshake to prove their identities to each other. In this flaw, one part of that handshake is forced to repeat over and over until hackers can figure out how it works.
Think of it like an actual secret handshake; if you could watch it repeatedly, you'd be eventually able to guess it. (The full version is much more complicated of course, and you can read the full paper here.)
That means a hacker could see what you're sending down the network — your messages, email and web browsing, as well as credit card details and photos — and potentially even hide fake traffic, too. The bug is in the vast majority of Wi-Fi systems, and while that's terrifying on its own, security researchers are particularly alarmed because the flaw was found in a system they trusted.
The bug is in that Wi-Fi standard itself, meaning it essentially impacts every device that connects over Wi-Fi — which is everything from your smartphone to your laptop, and much more besides. "It impacts everything — it isn't just one operating system, it isn't just one device," said Rudis.
Should you be concerned?
Scary and serious as this flaw is, there is no reason to panic. There have been no known attacks by actual hackers — "in the wild", as researchers like to say — and that's at least partially because it's a difficult bug for hackers to actually use.
"The sky is absolutely not falling on this, but this is a really important vulnerability that folks need to be aware of," said Rudis.
Indeed, to make use of this flaw, a hacker would have to be physically near your Wi-Fi access point and have a fair amount of security skills. "While it is a deep and fundamental flaw in the implementation of wireless internet, it is also not something you have to worry about know unless someone is physically at your Wi-Fi access point," Wheeler said. "To be frank, if I looked outside my window right now and saw a sketchy-looking guy on a laptop tapping away… I wouldn't be worried about my wireless."
That could change if this bug goes "airborne," she notes, and hackers figure out how to target Wi-Fi connections from a distance, but so far that isn't possible. "That would be devastating, but right now it would be very hard to do this attack."
Plus, notes Niemelä, even if a hacker was parked in front of your home, they would only be able to meddle with your web traffic if you're not using a secured connection such as HTTPS, when the little green lock is in your browser or on a VPN, a virtual private network that creates a protected tunnel for your web traffic. "VPN is designed to protect users in totally insecure networks, so using a VPN will protect from this completely," said Niemelä.
What can you do to stay safe?
Plenty of companies already have patches ready to fix their software to ensure this hack can't be used on their devices. That includes Microsoft, and other companies are likely to soon follow suit. Google has yet to release one for Android, but it's on the way.
That means you need to run software updates on your devices, including your smartphones and laptop. That's good security advice at all times, as plenty of less-high-profile security bugs are fixed this way without all the headlines, so keep your devices up to date.
At home, your router will also need an update, but such hardware doesn't always get patches and when they do, it's not always obvious how to install them. If your smartphone and other gadgets are updated, you should be safe, but it's worth trying to update your router all the same.
You can likely find instructions by searching for the name of your router alongside "how to update," and the steps will likely involve accessing the admin panel. Those often look complicated, but don't be intimidated — it's often no more difficult than filling in a few bits and pieces in the web form and finding the "check for updates" button. "And if there's an update, apply it," said Wheeler.
Beyond updates, there are a few more extreme methods to ensure you're not being targeted by hackers using this bug, but for most of us they aren't necessary. The most basic solution is to simply avoid Wi-Fi by using the mobile connection on your phone or cable with your laptop — but for most of us this really isn't necessary. And as above, using a VPN (virtual private network) should also helpyou avoid any snooping.
Instead, the best way to protect yourself is to learn good security habits: install all updates, use secured connections (such as HTTPS) when available, and use a VPN if you're on a network you don't trust.
But, notes Wheeler, those are all simply good pieces of advice all the time. "You should be doing it anyway," she laughs.
Related: What Apps to Use to Keep Your Messages Private
