Your WiFi is the latest thing researchers have announced is broken, as they discovered a new type of attack is possible that can expose all your communications over WiFi. While this is a major flaw that can have serious repercussions, things aren’t as dire as they are sometimes painted to be.
Let’s explain this out a bit. It all started with Mathy Vanhoef and Frank Piessens at KU Leuven who discovered the problem with the WPA2 encryption scheme around our WiFi. Basically, the security built into WiFi is pretty much ineffective. An attacker could intercept your passwords, emails, and any other data that you’d think was encrypted. They could even, in some cases, inject malware into a website you’re visiting, making you think it was the real deal.
In essence, all those cyber secrets you have and think no one knows, or hope that no one knows, could be exposed by your simple exposure to WiFi. Because at this point, if an attacker wants your data, your home WiFi won’t be any safer than those public WiFi hotspots every cybersecurity expert in history has warned you against.
The proof of concept exploit has been dubbed KRACK, short for Key Reinstallation AttaCKs. The exploit is effective against devices running Android, Linux, and OpenBSD, with Android and Linux being possible to reinstall an all-zero encryption key. To a lesser extent, it also works against macOS and Windows, and other type of devices.
This all sounds pretty horrible and apocalyptic, and to some extent that’s the truth of the situation – something we thought we could all rely on has been proven to be largely ineffective. Not only that, but patching this problem completely is borderline impossible as it requires fixing both our devices, and the router, and any other WiFi devices we may have and that’s a lot of vendors putting in a lot of time to protect a million versions of devices they’ve released over the years.
The one good thing about this WiFi issue is that in order for someone to hack you and read through all your data is for them to be in physical proximity. So, if you live in an apartment building you may have to make sure you don’t have any hacker neighbors, but when you live in a house, you might just have to make sure there’s no suspicious individuals carrying around a laptop on your front lawn. The main idea is that you’re not vulnerable to everyone who’s online. It does not mean you’re completely safe, but it does mean that you’re not as in danger as you may think when first reading about the vulnerability of WPA2.
Furthermore, there aren’t that many protocols relying on WPA2. For instance, when you access a HTTPS page your browser does the job of negotiating a separate layer of encryption, which makes accessing secure websites over WiFi as safe as ever.
But then again, it doesn’t mean you’re 100% safe, either. Attackers could still disrupt your communications. Pretending to be a secure site so you can provide all that precious data without any protections won’t be possible, but they can pose as any other non-secure site you visit daily. This is yet another reminder of why it is important all sites migrate towards HTTPS sooner rather than later.
When it comes to how to protect yourself – caution is the key. Your home router, which is likely a bit old already, or from an older generation, has little chances of getting a firmware upgrade soon. Other WiFi equipment you may use may also be in the same situation of being far from ever getting a protocol upgrade. Therefore, the best solution is to make sure you visit secure websites, and patch up your computer OS and AV solutions. Then, you might also consider switching your computer to Public Network mode, as that has a higher level of security than the Home Network mode.
When it comes to your mobile devices, again, make sure to update your device once such an update is available. You could also turn off WiFi when not in use.
Any IoT devices linked to your WiFi could become immediate targets to an attacker as their security levels are practically nonexistent compared to our computers or smartphones. It is quite unlikely that your smart devices will get an update if their primary purpose isn’t Internet-linked, like a TV, or your fridge. Those updates are already hard to come by even under normal circumstances.
That being said, we’ll just have to keep an eye out for any updates coming our way from vendors and OS makers and try to secure our devices as best as possible. You might also want to make sure not to make enemies out of hackers that know your home address.
“It seems that learning about another critical security flaw of a fundamental network component simply goes without saying nowadays. People are getting pretty much used to the tendency that everything online is vulnerable and trust in the security of a protocol or service is only temporary or even momentary,” said cyber secret futurist Arthur Keleti. “On the other hand, I breathed a sigh of relief over the early reaction of some vendors, like Mikrotik, who already released a series of patches to address this vulnerability weeks ago.”