Conventional wisdom has long held that locking down your router with WPA2 encryption protocol would protect your data from snooping. That was true for a long time, but maybe not for much longer. A massive security disclosure details vulnerabilities in WPA2 that could let an attacker intercept all your precious data, and virtually every device with Wi-Fi is affected.
The vulnerability has been dubbed a Key Reinstallation Attack (KRACK) by discoverers Mathy Vanhoef and Frank Piessens of KU Leuven. It’s not specific to any specific piece of hardware or device–it’s a flaw in the WPA2 standard itself. KRACK bears some resemblance to standard “man in the middle” attacks by impersonating an existing network.
To exploit a network, attackers first clone the MAC address of the network and set up a duplicate of it on a different wireless channel. Devices connecting to the original can be forced onto the fake network. That would usually be impossible because of the non-matching AES encryption keys in WPA2, but KRACK leverages a flaw in the four-way handshake that confirms the match.
Normally, WPA2 keys require a unique encryption key for each network frame. The KRACK vulnerabilities allow the rogue network to reuse old keys and reset the counter to make them valid again. At that point, it becomes trivially easy to decrypt traffic coming from a device.
There are multiple variants of this attack. The most severe version affects all current Linux distros and all Android devices running 6.0 or higher. Apple’s macOS is vulnerable to almost as many variants, but Windows is only affected by one version or KRACK. The iOS platform doesn’t have the most severe vulnerability, but several others do work. According to the researchers, every operating system and piece of networking hardware is susceptible to at least one flavor of KRACK.
So, what can you do about this? Not a whole lot right now. The issue exists on virtually all devices, and it’s up to vendors to release patches. Some router makers have started deploying fixes for enterprise-grade hardware. Microsoft has released a patch for its limited vulnerabilities, too. A few Linux distros have patches live, but it’ll take time for everyone to catch up.
Android devices are trickier. Google says it will have patches complete for existing devices in the coming weeks, but it’s up to individual OEMs to roll them out. Since it’s mostly newer phones that are affected, it shouldn’t be too much of a hassle. Any device with the November 2017 patch level or later will be protected.
Now read: 20 Best Privacy Tips