Key Reinstallation Attack – KRACK is the latest threat to sensitive data shared across Wi-Fi networks. This newly discovered (and serious) vulnerability affects WPA2 – the security protocol protecting modern Wi-Fi networks and devices. Smartphones, tablets, laptops, in fact ANY device that is able to connect to Wi-Fi, is likely affected.
Every time you connect a device to a Wi-Fi network, a 4-way handshake takes place. Essentially confirming that both parties (your device and the network) have the correct login credentials. During this 4-way handshake, an encryption key is generated, protecting data shared over the connection. The vulnerability, discovered by KU Leuven’s Mathy Vanhoef, allows attackers to use this encryption key to intercept sensitive data previously presumed safely encrypted.
What does this mean for you? Attackers are now able to decrypt any information that you are accessing while connected to Wi-Fi. Banking or credit card information, passwords, chats, emails, photos, the list of sensitive data goes on. Not only that, this vulnerability also allows attackers to implant potential malware (ex. Ransomware) increasing the risk. With this, there is potential for attackers to decrypt data sent to your device (ex. website content). Many websites use added protection with HTTPS, however it is possible to sidestep this precaution as well. Vanhoef warns that it is possible to bypass HTTPS in Apple’s iOS, OS X, Android apps, banking apps, even VPN apps – reiterating once more that any device that supports Wi-Fi is vulnerable.
What can you do to protect yourself from a “KRACK attack”? Vanhoef urges updating your Wi-Fi supporting devices as soon as security updates become available. Additionally always remember never to enter your username and password or any other confidential information on any web page that does not have the green HTTPS Lock as shows below.
Watch this short demo video below from Vanhoef, showing how attackers can KRACK your username and password. (Fast forward to the 2:59 time mark to see the ‘non-geek’ portion of his demo)
To learn more about KRACK Wi-Fi threats click here.