Without looking, can you tell me what security protocol your wi-fi is using? I can, but that’s because I’m a gigantic nerd; I’ve got the standard WPA2 encryption whizzing through my apartment. If you’ve recently installed a router or received a modem with built-in wi-fi from your internet service provider, you’re probably also running WPA2, because it’s largely supplanted WEP and WPA as the most prevalent method of protecting your bits.
Unfortunately, that puts you and I in the same boat; one which has recently sprung a leak when a vulnerability was released to the wide world, exposing a way for hackers to worm their way into almost every wi-fi connection on the planet. Don’t panic, though. Like almost every widespread threat, it’s difficult to pull off and is easy to protect against.
BECAUSE ‘KRA’ DOESN’T HAVE QUITE THE SAME RING
I’m not going to get too detailed about wireless protocol, but WPA2 works like any other encryption; by obfuscating the contents of a data packet using a key that’s only known to the device and the client. The one side uses the key to encrypt the data, sends it over to the receiving device, which then unencrypts it using the same key. It’s like one of those enigma machines used in WWII by the Axis, or to put a pop culture spin on that analogy, it’s like one of those secret decoder rings that you’d get in your Ovaltine. Just a lot more complicated, obviously.
The Key Reinstallation Attack -- also known as KRACK, because some people give no regard to proper acronym etiquette – is a WPA2 hack discovered last year by Belgian researchers that involves taking advantage of the way devices authenticate to capture and even change the encryption key. Using the vulnerability, it’s possible to rewrite the key to all zeroes, essentially removing all encryption and opening things up to eavesdropping.
STEP ON A KRACK
The fact that the vulnerability is so widespread – affecting every implementation of WPA2 wi-fi – makes the hack sound pretty threatening, but it isn’t all that easy to pull off. It’s essentially a man-in-the-middle style attack, requiring the attacker to be physically within range of the wi-fi network. That obviously makes it difficult for someone to do it while remaining physically undetected.
That means that it might be possible to stealthily hack a company’s wi-fi in a public place, like a Law Office’s waiting room, but less practical when it comes to infiltrating your home network. A malicious hacker would make more effective use of their time by simply using a packet sniffer in a public place to gather random packets in hopes of obtaining valuable information. Because, as we’ve said before, directed hacking is rare; it’s typically handled more like fishing with a net.
So with that in mind, is it even worth protecting yourself? Yes, definitely, because it's not difficult and the vulnerability isn't just going to go away on its own. If there’s one benefit to having a widespread issue like KRACK, it’s that companies are quick to fix it. As such, protection from intrusion is a simple update away in most cases.
So, as always, make sure that your operating system is up-to-date; whether it’s Windows, Mac, or a Linux derivative. If you connect your mobile devices to wi-fi, you’ll want to ensure that they’re updated, as well. If you’re the adventurous type, it’s also a good idea to update your wireless router’s firmware.
Also, make sure you protect yourself in the same way that you would from a packet sniffer. Try to avoid putting passwords, PINs, or credit card numbers within the bodies of emails or other plain text forms. When you do need to input this information, ensure that you're connecting through SSL (https instead of http on websites).