Belgian researcher Mathy Vanhoef announced some rather brilliant research on Monday which demonstrates that nearly all WiFi in use today can be hacked. The tool for scrambling data as it’s transmitted wirelessly between your gadgets and routers, called WPA2, can be tricked into coughing up the secrets needed to unscramble it, he found. Because the flaw is fundamental to the protocol, just about everyone and everything around the planet is exposed to the attack.
The Department of Homeland Security issued a warning about this so-called KRACK attack on Monday. So this is serious. If your device uses Wi-Fi, it’s vulnerable.
But don’t panic.
First, a criminal who wanted to exploit this flaw would have to be in physical range of the wireless network, so that limits its practical use. Second, according to the Wi-Fi Alliance, there is no evidence the vulnerability is being used maliciously. But most important, for most consumers, security can be restored through a software update to their computers and phones. It’s worth checking to see if your Wi-Fi router has a security update, but it’s not necessary. According to Vanhoef, it’s not even necessary to change your router password (though, after you install any patch, that’s not a bad idea).
Critically, that also means you don’t have to avoid all public Wi-Fi, as some have suggested — though it wouldn’t hurt to stick with your mobile network and skip Wi-Fi if you are an Android phone user, for now. One flavor of the attack is substantially easier to exploit on Android and Linux devices, the researchers say.
The flaw comes from the way the routers and the gadgets talk, so you can protect yourself by updating your gadget. Of course, it’s always a good idea to be judicious when using public Wi-Fi — to avoid security-sensitive tasks like online banking, to use secure sites (signaled by https in the web address) or use a VPN for extra security. It’s also worth looking around your coffee shop to see if anyone seems to be doing anything suspicious. But, at the moment, the skills needed to pull off such an attack are elite, so the risks posed are still low.
“For ordinary home users, your priority should be updating clients such as laptops and smartphones,” the researchers say.
Bottom line for you: If you’ve been postponing software updates, stop what you are doing and restart your gadget to install any new security patches. Microsoft told The Verge that it has already patched against KRACK, so Windows users who install the latest update are safe. Google is still working on a patch for Android devices, The Verge said. The status of any patch from Apple for iOS laptops and phones was not immediately available.
Enterprises might have a bit more to fear, as they have much more to lose. A criminal using KRACK could theoretically sit in a parking lot outside a retailer and hop on a Wi-Fi network to download a stream of credit card numbers. Doing so would be worth the investment of time. And while even the researchers concede in their paper that some attack scenarios seem “impractical,” tools to weaponize the attack are certain to follow. So IT workers should actively seek out router patches. Recall the recent Equifax incident: CEO Richard Smith would still have his job today if his firm hadn’t waited month to install a critical security update.
The Department of Homeland Security’s Computer Emergency Response Team has a comprehensive list of impacted vendors here.