The US-CERT has recently distributed an advisory to a multitude of organisations, warning of the severe Wi-Fi security flaw in the WPA2 Wi-Fi encryption protocol.
The severe fault, dubbed KRACK (Key Reinstallation Attacks) has the potential to allow hackers, within physical range, to intercept credit card numbers, passwords, photos and other sensitive information. Meaning just about every router, smartphone and PC could be impacted.
How it works
Attackers find a vulnerable WPA2 network, then make a carbon copy of it and impersonate the MAC address, then change the Wi-Fi channel. This new, fake network acts as a ‘man in the middle’, so when a device attempts to connect to the original network, it can be forced to bypass it and connect to the rogue one.
Normally, WPA2 encryption requires a unique key to encrypt each block of plain text. However, the hack described in the ‘Krack Attack’ paper forces certain implementations of WPA2 to reuse the same key combination multiple times.
The problem is made worse by Android and Linux, which, thanks to a bug in the WPA2 standard, doesn’t force the client to demand a unique encryption key each time. Rather, they allow a key to be cleared and replaced by an ‘all-zero encryption key,’ foiling a key part of the handshake process. In some cases, a script can also force a connection to bypass HTTPS, exposing usernames, passwords and other critical data.
Protecting your device
VPN specialist, NordVPN, commented on how users can protect their devices, detailing that one solution would be to add an extra layer of security. “Past experience shows that these types of vulnerabilities don’t get easily fixed,” says Marty Kamden, CMO of NordVPN. “Home Wi-Fi users are especially vulnerable, as they do not have enough information how to deal with the threat. ISPs can take years to switch to routers with a safer protocol. That’s another situation where users should take their Internet security into their own hands. Everyone should assume that their network is now vulnerable, and take precautions. Virtual Private Networks – VPNs – remain the strongest defence form these types of vulnerabilities.”
A VPN will add an extra layer of security on the entire device by rerouting one’s online data through a ‘tunnel’ secured with military-grade encryption, ensuring that no third parties can eavesdrop on it. However, a VPN will not help if configured on one’s router. A user’s devices must be connected to VPN from within your network.
“Internet users should also look for firmware patches for their routers. Depending on their configurations, they could be potentially exploited,” adds Marty.