Wi-Fi is the invisible connective tissue of the internet. But on Monday, we all learned of a vulnerability in the method that wireless networks use to secure the information that travels from your router to your device, and it lies in a protocol called WPA2. Mathy Vanhoef, a 28-year-old postdoctoral researcher at KU Leuven, a university in Belgium, discovered the issue, called KRACKs, months ago.
Here’s what you need to know about the problem, and what to do about it.
It starts with a handshake
When a machine like a laptop or smartphone connects to a Wi-Fi network, the two gadgets carry out a multi-step handshake. That process involves confirming that your phone, for example, has the right password to connect to the network. The handshake system also produces encryption keys that keep the data secure, so no one can snoop on you. It’s here where the vulnerability lies—the exploit causes one of those keys to be reused, which is a security no-no.
“We found a weakness in the design of this WPA2 protocol [in which] we can force a victim into reusing a key,” Vanhoef, the researcher who discovered the issue, says. “In turn we can use that to reveal sensitive information that the victim is sending, such as passwords, or usernames, and so on.”
Good news: For this exploit to actually happen, the hacker taking advantage of it must be in range of the Wi-Fi network, so it’s not the kind of attack that can be carried out from the other side of the world. Bad news: if done successfully, the attacker could intercept and see the data that flows from your device to the internet.
“When I initially discovered it, it was really surprising to find this,” Vanhoef says. “Because this WPA2 protocol has been around for 14 years.”
For those looking for a more thorough explanation of the problem, Leuven has published a research paper on the topic and also lays it all out in a website about it.
Who’s affected?
The problem lies in the WPA2 wireless protocol—so it’s not something that a specific device-maker created. According to Vanhoef, common operating systems like iOS, Android, Linux, and Windows are all susceptible, but to different degrees. The most vulnerable devices run the Android and Linux operating systems, Leuven says.
Your home Wi-Fi network is less likely to be vulnerable than a big one, like a public Wi-Fi system at an airport or an office.
Leuven says it is unclear if anyone has actually used the exploit yet. “We’re not in a position to determine if people are abusing this or not,” he says. But he remains most concerned about smartphones running Android.
So what should you do?
The most important thing you can do—today and always—is install the automatic updates that companies push out. Whether your smartphone or laptop is running iOS or Android, Windows or macOS, the key is to “always install updates,” Leuven advises. No need to change the password on your home Wi-Fi network, he says. (Microsoft is on the ball with this one and patched the issue on October 10.)
And while home networks and routers are less vulnerable than others, it’s also a good idea to make sure your router’s firmware is updated. For example, Netgear published an article listing the routers, cameras, range extenders, and other gizmos that are vulnerable to this exploit, and explains how to get the newest firmware.
Karen Sohl, a communications director for Belkin, Linksys, Wemo, says that they are “aware” of the vulnerability. “Our security teams are verifying details and we will advise accordingly,” she says, via email, adding that they “are planning to post instructions on our security advisory page on what customers can do to update their products, if and when required.”
And Apple confirmed to Popular Science that fixes for the exploit are coming to consumers via updates in the next few weeks for iOS, macOS, watchOS, and tvOS; those same updates are already out in either public or developer betas.
“Don’t panic,” Candid Wueest, a threat researcher with Symantec, says. However, he adds, “It is definitely a serious vulnerability which is present in the design of Wi-Fi as we use it, with the WPA-2 encryption.”
Like Leuven, Wueest stresses the importance of updating the software that runs your devices. He also recommends that if you are sending sensitive information, check your browser to make sure the connection is secured with HTTPS/SSL. (Look for a lock symbol in the URL field.) When configured correctly, that protocol protects your information with an additional level of security. The last step to take, for the truly worried? Consider using a virtual private network, or VPN.
Ultimately, a vulnerability like this is “rare,” but compared to malicious code like WannaCry, Wueest says, “it’s not as bad for the internet.”
