On 16 October 2017, a KRACK vulnerability was found in WPA2 – the most common method of security found in most wireless routers released since 2004. Its nature allows hackers to infiltrate a completely secure WiFi connection without the victim’s knowledge until it is too late for them to do anything about it. To make matters worse, the vast majority of wireless devices use WPA2 to negotiate entry into a network.
And the story isn’t over: it might take a few years to completely mitigate the damage, regardless of how much effort software manufacturers like Apple and Microsoft make to patch their systems.
How the KRACK Vulnerability Works
To understand the Krack vulnerability (as it’s called in the media, short for “Key Reinstallation Attack”), we first have to know how WPA2 works. To authenticate a device on the network, both the router and the device go through a four-step process, known as a four-way handshake. Let’s explain this a little more in detail since a lot of outlets get this process wrong:
- The router sends a string of numbers to the device, giving it the means to construct its own private key with which it will communicate directly with the router. This is known as the pairwise transient key (PTK).
- The device now sends its authentication information through another string of numbers that includes a message integrity code – validating that it is indeed the device with which the router is communicating – followed by an authentication code which validates that the device has the password to access the network.
- The router, upon receiving the previous information, will reply with a group temporal key (GTK) that is used for broadcasting.
- The device, receiving the GTK, replies with a confirmation ping, effectively entering the network.
The process is a little more complicated than I described it, but for the purposes of our next explanation, it suffices.
Hackers who want to exploit the vulnerability are able to “reinstall” the keys negotiated between the router and the device. There goes all protection. Someone with the ability to do this can impersonate their victim at will and receive packets that are meant for their eyes only (if the hacker reinstalls the PTK).
How to Protect Yourself
So, if a hacker can perfectly impersonate you without your knowledge, how are you supposed to protect your information? Theoretically, one could simply connect to a WiFi network, then manipulate packets to make a payment on your behalf to their bank account.
The first step is avoiding Wi-Fi altogether for sensitive things like logging into your online banking application. For these things, you could use your cellular network. It might cost a penny or two (if you have a data plan that requires payment per X amount of data transferred), but at least you will have the peace of mind that you’re in a network that has more anti-hacker muscle behind it than some $40 router at a coffee shop.
If you cannot avoid WiFi and you must do something now, I highly suggest connecting to a virtual private network (VPN) before you go through with it. Using a VPN will not necessarily give you immunity against hackers, but at least you’ll have a bit more protection with an extra layer of security, especially if it involves end-to-end encryption. Even if a hacker can impersonate you relative to the router you’re connected to, the task just got much harder because VPNs use another type of authentication that often guards against these attempts.
If you do not have a VPN, then just know that you’re taking a risk in doing what you need to do through WiFi. You can minimize this risk by having multiple-factor authentication with your bank and other applications you use.
It’s not the end of the world, but that doesn’t mean you shouldn’t be vigilant and protect all your valuable data as much as you can. These steps should be followed regardless of whether the WiFi connection you’re in is vulnerable or not.
Also, since most people do not install updates to the firmware on their routers, it will likely take years until this particular vulnerability is completely phased out. It wouldn’t hurt to update your own router’s firmware and inform your favorite locales to do the same!
What else do you do to protect your data? Tell us all about it in a comment!