A recently disclosed Wi-Fi vulnerability allows intruders to eavesdrop on your online activity, steal your confidential information, and in some cases lead you to download malicious software. The vulnerability impacts virtually all Wi-Fi connected devices, regardless of the operating system.
How does it work?
Named KRACK (Key Reinstallation AttaCK) by the security researcher who discovered it, this attack exploits a flaw in the implementation of WPA2 encryption protocol, widely used to secure wireless networks around the globe. The flaw permits attackers to decrypt the communication between the device and the Wi-Fi Access Point (wireless router), which may include user names and passwords, credit card numbers and other confidential information victims may submit over the web.
In some cases, the attackers may also be able to alter the data they are intercepting, performing unauthorized actions on the sites the user visits, or attaching malicious code to the pages the user downloads.
The attack impacts all wireless devices that connect to a WPA2-secured network, including smart phones and tablets, home automation and security devices, TVs and streaming devices, and numerous other Internet of Things (IoT) devices. To perform the attack, the attacker must be within the range of the wireless network.
How to protect against KRACK attacks
Because this is a flaw in a widely-used encryption protocol, rather than in a specific device, it may take some time for every device manufacturer to patch this vulnerability. Nevertheless, there are several things you can do to minimize risk:
- Identify all wireless devices in your home and check with the manufacturers for patches, starting with your Wi-Fi router
- Disable Wi-Fi on your phone until the phone manufacturer releases a patch
- Use a VPN service whenever connecting to Wi-Fi, even at home
- Use a wired connection if possible