Well, there’s cheerful news to start off the week: Researchers have discovered and disclosed a massive WiFi vulnerability that puts everyone’s private data at risk. How massive? Basically, if you can read this story, congratulations — you’re almost certainly affected.
The researchers, based out of the University of Leuven in Belgium, have given this WiFi flaw the catchy name of “Krack Attack.”
What’s the danger?
You may remember the last time you connected your phone, laptop, or other device to a new WiFi network. When it asked you for the network password, it also said something about the security protocol, perhaps listing something like “WEP” or “WPA2,” or asking you to choose from a list of types.
Older standards, WEP and WPA, have known weaknesses and aren’t considered the safest go-to any longer. The WPA2 security protocol is the current, modern standard and has been for about a decade.
Unfortunately, that WPA2 standard is also where the researchers found this vulnerability.
The flaw has to do with the actual encrypted messages that devices send each other to authenticate when they connect. The researchers proved that someone can manipulate those connections, abuse the vulnerability, and gain access to communications that are supposed to be secure.
The upshot is that a malicious actor can use this weakness “to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on.” Basically, any data you can send, they can access. Someone could also use the same vulnerability to add extra data onto your device that should not be there — like, for example, ransomware or other malware.
Because the weak point is in the actual standard, it’s not limited to a single network or device. It’s pervasive — every single device that can communicate in this way, which is basically all of them, is potentially susceptible. The list includes all Android, Apple, Linux, and Windows devices — your standard phones and laptops — as well as the routers they connect to, from companies like Linksys. Some devices, like those running Android are Linux, may be easier for hackers to manipulate than others, but none are safe.
If you speak network security, the research team explained the details, published a paper, and included a proof-of-concept demonstration on their website.
US-CERT, the division of the Department of Homeland Security that handles digital security, has confirmed their findings.
Is there anything I can do?
There’s nothing that individuals can do; changing your WiFi password or using a different device won’t help, since the flaw is embedded deep in the very basis of your internet connection.
But there is good news: This flaw is patchable.
Device manufacturers were all notified about the flaw before it was made public, and are working on updates to fix this particular danger. The best thing any home user can do is install security updates as soon as your devices prompt you to, and make sure you keep any computer, phone, or connected device as up-to-date as the manufacturer allows.