Yesterday, cybersecurity researchers announced that a critical flaw was discovered in the WPA2 Wi-Fi security protocol. This protocol has been considered safe and reliable since the mid 2000s and has become a de facto security standard for both consumer and enterprise Wi-Fi. The flaw, named KRACK by its author, breaks the automatic sharing of encryption keys between a device and the wireless access point it’s attempted to communicate with in order to allow an attacker to intercept web traffic for harvesting personal data and account credentials. While there are no known exploits or attacks in the wild right now, it is expected that attackers will begin to using this exploit soon and will continue to do so for the foreseeable future.
Android and Linux-based devices are particularly vulnerable to KRACK, but many devices that connect to Wi-Fi are vulnerable at this time and software updates and security fixes may not be available to mitigate the issue. Here’s how you can protect yourself from KRACK:
- Avoid public Wi-Fi networks when at all possible. If your cellular plan allows for Internet tethering from your smart phone, consider using it for high risk areas like hotels and airports.
- Utilize GHC’s VPN (for remote work) or a private VPN service to protect your web traffic from surveillance on untrusted Wi-Fi networks.
- Ensure every website you sign in to has a green lock to the left of its address (HTTPS) in your browser every time you sign in. HTTPS connections protect the privacy of your communications to a website by encrypting it.
- If you supply your own Wi-Fi router or access point at home, check with the manufacturer’s support page to ensure its embedded software (firmware) is up to date and will receive an update to address this vulnerability. If your router is end-of-life or unsupported, consider replacing it with a newer model.
More information about KRACK is available at:
https://www.theverge.com/2017/10/16/16481252/wi-fi-hack-attack-android-wpa-2-details