Since 2003, Wi-Fi networks have been secured by a highly secure protocol known as WPA or WPA-2. The protocol protects information traveling from a WiFi router to a computer, phone, tablet, gaming system, or any other potentially connected internet device. Hackers and spies couldn’t inject code, or spy on data as long as your Wi-Fi password was secure–but now it seems like WPA’s 14 year reign of fame has come to an end. The reason? A new fundamental flaw in WPA itself that allows a hacker to gain access to your Wi-Fi if they are within your local radius.
This new flaw is called KRACK, and it lets attackers within Wi-Fi range easily inject computer viruses, or read information transmitted from router to devices. KRACK stands for Key Reinstallation Attacks, and the research behind the found vulnerability has been known for weeks by experts, but released only publicly today.
Alan Woodward, a researcher at the University of Surrey’s Centre for Cyber Security, explains that “It seems to affect all Wi-Fi networks, it’s a fundamental flaw in the underlying protocol, even if you’ve done everything right [your security] is broken. [It means] you can’t trust your network, you can’t assume that what’s going between your PC and router is secure”
By using the KRACK attack, hackers can potentially steal sensitive information like passwords, credit cards, or even photos. Of course, you might think that websites that use HTTPS encryption are completely safe. You can find out if your website uses HTTPS by looking at the tag before your URL. Google Docs, Banking websites, and other secure websites use HTTPS encryption, but unfortunately, a large majority of other websites on the net don’t.
But the truth is that even HTTPS websites that use encryption might not be enough to protect your data from the KRACK attack. According to the researchers, “websites or apps may use HTTPS as an additional layer of protection, we warn that this extra protection can (still) be bypassed in a worrying number of situations.” The researchers explain that HTTPS was previously bypassed in “non-browser software, in Apple’s iOS and OS X, in Android apps, in Android apps again, in banking apps” and even in a large majority of unsecure/free VPN apps on the Google Play Store. Each internet connected device is vulnerable, and updating your Wi-Fi password to something secure isn’t good enough.
While all devices can be vulnerable to the KRACK attack, it seems like Android devices and Linux devices might be the most vulnerable. With these devices, hackers can force network decryption to steal data much easier. Right now, there are some immediate Linux patches available, but the distribution is not cemented as of right now for Wi-Fi access points.
This issue is so severe that the United States Computer Emergency Readiness Team released an alert.
“US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol. The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others. Note that as protocol-level issues, most or all correct implementations of the standard will be affected. The CERT/CC and the reporting researcher KU Leuven, will be publicly disclosing these vulnerabilities on 16 October 2017.”
WPA or WPA-2 has existed since 2003, but until now, it has stayed secure. This new KRACK vulnerability has to do with the way traffic is encrypted. Usually in encryption, there’s a handshake and a key that is established. However, with the KRACK attack vulnerability a key can keep being resent to eventually decrypt the encryption.
Due to the widescale nature of the WPA protocol, it’s unlikely this vulnerability will be fixed right away–if at all. This means that hackers can viciously eavesdrop on local Wi-Fi connections. However, since this breaking news was only released today, it’s not quite understood how widespread attacks will be as the exploits have not yet been confirmed in the wild. If things get out of hand and the attacks turn out to be easy for hackers to perform, Wi-Fi at large may be in some serious danger.
How to Fix?
At this moment today’s top router manufacturers are scrambling to issue patches that will fix the KRACK Wi-Fi vulnerability. It is extremely important to install the very latest update for your router as soon as it becomes available. As relevant DDWRT, Tomato, OpenWRT, and ASUSWRT updates are released we will announce this to our users along with step by step instructions for updating the firmware.
Until an update is available for your WiFi router, the only real solution to ensure privacy is to use a VPN to encrypt web traffic as it flows from the access point to the computer. With TorGuard, we use secure AES-256 encryption, as well as multiple safety features like kill switches that ensure you stay protected by powerful encryption 24/7. When using a VPN, even if the WiFi router you are connected to was vulnerable, it would be impossible for hackers to decipher any traffic due to the VPN tunnel being wrapped in encryption.