Krack Attack: Security Flaw Puts Every Wi-Fi Connection at Risk
Thanks to a newly discovered security flaw, your home Wi-Fi is completely hackable, giving cyber thieves a front row seat to everything from your private chats to your baby monitor. And there’s not much you can do about it — yet.
“When I woke up this morning and saw this one, I was taken aback,” Bob Rudis, chief data scientist at Rapid7, a security data and analytics company, told RENBC News. “We try to make sure if something is talked about in a bad way, it actually is bad.”
Called Krack, the attack takes advantage of the four-way handshake, a process between a device and a router that has been around for 14 years and is designed to deliver a fresh, encrypted session each time you get online.
During the third step in the process, hackers can resend a key in such a way that it resets the encryption key to zero. Encryption is the process that makes your data uncrackable to anyone who might intercept it.
With an unencrypted session, hackers are then free to pry on whatever you and your devices are doing on Wi-Fi.
“The one saving grace is the attackers need to be within range of Wi-Fi networks,” said Rudis. “But someone can sit outside your office or the apartment next door and do this attack from there.”
The Krack attack was discovered by researchers Mathy Vanhoef and Frank Piessens of KU Leuven in Belgium and was revealed on Monday.
It’s a common practice in the security world to notify vendors of an exploit before it is publicly released. On their website, the researchers said they notified vendors of the products they tested on July 14. After realizing they were dealing with a protocol weakness instead of a set of bugs, the duo alerted the United States Computer Emergency Readiness Team (CERT), who began contacting vendors in August.
CERT disclosed the exploit on Monday and included a list of vendors, when they were notified, and whether they are affected. As of Monday afternoon, many were listed as “unknown.”
It’s difficult to determine if any cyber criminals have used the exploit “in the wild” or are currently using it, the researchers said on their website. A demo video showed how they were able to use the attack to hack into an Android 6.0 smartphone.
Google, which develops the Android operating system, is aware of the issue and “will be patching any affected devices in the coming weeks,” a spokesperson said.
Robert Siciliano, CEO of IDTheftSecurity.com, told NBC News “it’s hard, if not impossible to say” if this attack has ever been used. However, given the amount of time the four-way handshake has been around, he believes it’s possible someone has used it.
“This vulnerability has been in existence, some say, for up to 14 years — which means that it’s entirely possible someone has already determined this flaw in the past and has exploited it,” he said.
How to Protect Yourself
Fixing such a gaping problem with Wi-Fi protocol is going to require making sure your smartphone and laptop are up to date with the latest patches.
You’ll also want to check for any firmware updates to your wireless router. If you’re using equipment provided by your internet service provider, Rudis recommends checking with the company for the latest information on updates. If you own your router, you’ll want to check to make sure you’ve downloaded any patches.
Since virtually every device in the world that uses Wi-Fi is vulnerable, he said it’s crucial to stay on top of updates.
“I think most manufacturers will have patches soon,” Rudis said. “But if you don’t see a patch for your home network equipment in at least a week, you should get a new Wi-Fi access point for your house.”
While part of the solution is in the hands of vendors, home users can protect themselves now by using a “virally important” tool called a VPN — a virtual private network.
“The minute you do that, you negate this vulnerability,” Rudis said. Hackers might still be able to capture your packets — but they won’t be able to break the security.
You can also safely browse at HTTPS sites; however, that will require every link, photo, and anything else on the page to also have a secure domain, Rudis said, calling it “virtually impossible to do.”
There seems to be a new vulnerability being exposed every day, bolstering the need for more resources to go toward fighting a cyber threat that continues to grow exponentially.
One in 131 emails sent last year contained malware, marking the highest rate in five years, according to a report from Symantec.
The growing threat is costing companies — and consumers — big bucks.
Cyber security spending is expected to top $1 trillion between 2017 and 2021, according to Cybersecurity Ventures, and that’s largely fueled by the growing number of hacking threats.
The disclosure on Monday was one of the more troubling ones in recent times for security experts, though they also stressed it’s inevitable.
“Think of anything mechanical, even think of food,” Siciliano told NBC News. “Occasionally you see a recall because an airbag is hurting people or because brakes aren’t working because the design was flawed… Nothing will ever be perfect.”
What can you do to secure your data?
The fact that almost every device in almost every Wi-Fi network is vulnerable to KRACK sounds quite scary, but — like pretty much any other type of attack — this one is not the end of the world. Here are a couple of tips on how to stay safe from KRACK attacks in case anyone decides to use them against you.
- Always check to make sure there’s a green lock icon in the address bar of your browser. That lock indicates that an HTTPS (encrypted and therefore secure) connection to this particular website is being used. If someone attempts to use SSLstrip against you, the browser will be forced to use HTTP versions of websites, and the lock will disappear. If the lock is in place, your connection is still secure.
- The researchers warned some network appliance manufacturers (including the Wi-Fi Alliance, which is responsible for standardizing the protocols) in advance of releasing their paper, so most of them have to be in the process of issuing firmware updates that can fix the issue with key reinstallation. So check if there are fresh firmware updates for your devices and install them as soon as possible.
- You can secure your connection using a VPN, which adds another layer of encryption to the data transferred from your device. You can read more on what a VPN is and how to choose one, or grab Kaspersky Secure Connection right away.
Fatal error: Call to a member function xpath() on a non-object in /home1/mylifeco/public_html/pricecutterstore.com/admin/models/api/affiliate_window.class.php on line 129