A new Wi-Fi exploit on the WPA2 protocol has been found with Android and Linux users being the most vulnerable. The proof-of-concept exploit is known as a Key Reinstallation Attack or KRACK. The attacker can read your data in an unencrypted form even if it is encrypted, meaning that your passwords, user names, credit card and other information you put in are discovered.
According to researcher Mathy Vanhoef, of the Katholieke Universiteit Leuven in Belgium “This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. The attack works against all modern protected Wi-Fi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites.”
What KRACK does
KRACK aims to break the Wi-Fi security encryption by collecting and replaying transmissions in certain ways to cause a break. The authentication that happens between the Wi-fi client device tries to connect to the protected Wi-Fi network is targeted by the transmission.
Secure your information
The attackers can only see your information if they’re connected to the same Wi-Fi as you. Public Wi-Fi hotspots are a danger point and if you can it’s recommended to use your cellular data. If you can’t avoid a Wi-Fi hotspot, make sure you’re viewing the page with https and not HTTP. Http is a lot less secure than https, and it’s advised that if you do have to input information check for https.
A good VPN will hide a lot of outgoing information, so will the Tor network and reliable protocols like STARTTTLS, Secure Shell and others.
Updates and patches
Users are advised to update their devices to the latest security patches when they are released. Google Pixel will have security patches out soon, but other Android phones and tablets will have to wait until a patch is available from their phone manufacturer. This could take a few months, with some devices lagging on security updates already.
Microsoft released a patch for Windows devices to protect against KRACK before the public announcement. Apple has updated iOS, macOS, watchOS and tvOS betas with a fix for KRACK.
You may need to update your router’s firmware, check Linux sites for updates and keep up to date with when patches are due to be released. It’s likely that the biggest targets will be large corporate and government Wi-Fi networks due to the value of the information.