Vulnerabilities in WPA2, a protocol used by nearly all modern Wi-Fi devices, leaves all Wi-Fi devices at risk of being snooped upon, a security researcher revealed on Monday. KRACK attacks make it possible “to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos” from any Wi-Fi device. Here’s what you need to know:
A security researcher by the name of Mathy Vanhoef has discovered serious vulnerabilities in WPA2, a protocol that secures all modern protected Wi-Fi networks.
The vulnerabilities are exploited using key reinstallation attacks (KRACKs) that target Wi-Fi clients like laptops, smartphones, and smart home devices — any device that connects to a router using Wi-Fi, really.
Vanhoef notes that the apart from the ability to steal sensitive information, “it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites.”
The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. This means any correct implementation of WPA2 is likely affected.
Apple devices as well as those running Android, Linux, Windows, and OpenBSD, are all affected by some variant of the attacks. To prevent the attack, users must update affected products as soon as security updates become available.
Vanhoef notes that attack does not recover the password of your Wi-Fi network. This means that changing the password of your Wi-Fi network does not prevent (or mitigate) the attack. Instead, you should make sure all your devices are updated, and you should also update the firmware of your router (if a new firmware is available). After updating your router, you can optionally change the Wi-Fi password as an extra precaution.
It’s possible that your router does not require security updates, as the attack targets Wi-Fi clients. You should contact your vendor for more details. For most home users, the priority should be updating clients such as laptops and smartphones.
Vanhoef advises users against switching to the insecure WEP protocol on their router until their devices are patched.
As a user, there’s nothing for you to do other than waiting for security updates on your Wi-Fi devices like smartphone and laptop. Install them as soon as they become available.
Phones that have been abandoned by their manufacturers or other products (like smart home devices) that rarely receive an update may remain vulnerable forever.