The security to protect the connection between a wireless network and computers, smartphones and tablets has been breached and could leave every wi-fi device wide open to hackers.
The WPA2 (Wi-Fi Protected Access) protocol, used to protect basically every secure wi-fi network in the world, has been cracked according to security expert Mathy Vanhoef who found a vulnerability.
This bug is known as KRACK – short for Key Reinstallation Attack – and exploits a flaw in WPA2 which exists in the protocol’s four-way handshake used to allow devices with the right password to join the network.
WHAT DOES THIS MEAN?
Worst case scenario would allow a hacker to use KRACK to get around the WPA2 encryption and see everything you’re looking at, take over connections and add their own content into the network.
“All protected wi-fi networks use the four-way handshake to generate a fresh session key. So far this 14-year old handshake has remained free from attacks,” Mathy Vanhoef says in his report.
“However we show the four-way handshake is vulnerable to a key reinstallation attack. Here the adversary tricks a victim into reinstalling an already in-use key.
“This is achieved by manipulating and replaying handshake messages.
“We confirmed our findings in practice, and found that every wi-fi device is vulnerable to some variant of our attacks.”
WHAT DO WE DO NOW?
Should you stay off wi-fi? No not at all.
This is a proximity risk which means the attacker would have to use this bug within reach of your network.
Unlike other online threats that can affect users on the other side of the world, KRACK needs to be deployed in your vicinity.
SO ARE WE OK?
Not really. All it will take for this to spread is hackers ganging up and cracking open previously secured wi-fi networks to see what they can find.
It’s like every house in the street being left unlocked and intruders being allowed to wander inside. And even if you’re home you won’t be able to see them and they can help themselves to every bit of information they can find.
WHAT CAN WE DO?
Visiting secure websites – with an address that starts with HTTPS – is still safe.
Using a VPN (Virtual Private Network) – which creates your own private tunnel to the internet – may also make you invisible to a network intruder.
If you’re using a smartphone, it would be safer to connect to the internet using the cellular network rather than wi-fi.
WHAT HAPPENS NEXT?
An encryption protocol is another word for the virtual lock and key of a network.
But simply changing the locks won’t work here because this previously impregnable lock is all we’ve got.
It’s all we’ve got because it hasn’t been cracked in the 14 years it has been used across the world.
The four-way handshake may be updated to a six-way or eight-way handshake – but that’s easier said than done.
The last time something like this happened when the previous WEP (Wired Equivalent Privacy) protocol was cracked in 2001 – it took years for new routers with the WPA2 to appear – but there weren’t anywhere near as many of us online back then either.
Today it is a completely different story with not only more people on wi-fi but even more devices including our phones, computers and even out TVs and countless other devices.
Security experts are no doubt working on a patch to this issue as we speak.