Your Wi-Fi connection is probably using the WPA2 security protocol. Yes, the one you're using right now. If there's a password for your Wi-Fi connection, and you're not nestled deep in the bowels of an enterprise-grade business campus that relies on stronger encryption tools, I'd bet good money that these very words flowed through a WPA2 connection.
Well, that WPA2 security protocol isn't completely safe anymore. Any device that runs WPA2 as originally designed is now open to a new attack known as KRACK -- short for "key reinstallation attack."
Read on to see how this affects you and what the providers of Wi-Fi systems are doing about it.
The KRACK attack
In simple terms, the new attack works by sending many network messages using the same supposedly unique single-use message number, confusing the WPA2 protocol in several dangerous ways. The attacker can then decrypt the encrypted data flow, start a whole new connection with new security settings, or erase the original encryption key altogether. All of this is Bad News(tm) for the victim of such attacks, basically wiping out the encryption from your secure connection. It's all plain text after that, as if you hadn't logged on to create a secure connection at all.
No KRACK attacks have been reported in the wild yet, but they will surely come. The vulnerability was discovered by computer science professor Frank Piessens and postdoctoral researcher Mathy Vanhoef at the University of Leuven, Belgium, several weeks ago. In researching this novel attack technique, the researchers found that "every Wi-Fi device is vulnerable to some variant of our attacks," and Android version 6.0 (Marshmallow) was subject to particularly "devastating" effects. Wi-Fi device makers were notified in August. The findings were presented on Oct. 16 and will be further clarified at the Black Hat Security Conference in Las Vegas next month.
What can I do?
Since KRACK affects all Wi-Fi devices currently on the market, every WPA2 connection is suspect until further notice. That's no different from connecting your smartphone to a password-free Wi-Fi network in your favorite coffee shop, where the guest network doesn't even attempt to set up a secure WPA2 session.
Privacy-craving network users have found several ways to work around such unsecure connection environments:
- Skip Wi-Fi and connect using a network cable instead, via an Ethernet or USB plug. This way, there's no radio traffic for other devices to listen in on.
- Set up a virtual private network, or VPN, connecting your device through a secure link running on top of the unsecure Wi-Fi network. It's like putting your sensitive data in a tamper-proof lockbox before sending it across town in the backseat of a random Uber. All the attackers can read is another form of separately encrypted data. Here, your system is secure as soon as the VPN connection has been set up and activated.
- Make sure that the apps and web pages you read are using encrypted HTTPS links, identified by padlock icons in the address bar and network addresses starting with HTTPS:// instead of HTTP://. Let's say you skip the lockbox but wrap each one of your sensitive messages into its own uncrackable safety pouch -- either way, your data will get to its destination unread and unharmed.
Plain old HTTP is becoming rare these days, as Google (NASDAQ:GOOG) (NASDAQ:GOOGL) started rewarding sites with higher rankings in search results when they use the secure version instead. When Google changes search result algorithms, web publishers pay attention. This policy change started in 2014 and was given more weight in 2017, setting most of us up to weather the KRACK storm mostly unharmed -- as long as we're using web browsers such as Safari, Chrome, or Firefox. Mobile apps may depend on unsecure HTTP connections without our knowledge, so trusting HTTPS to do the heavy lifting is not a perfect solution.
Nothing is stopping you from using several of these methods together, adding several layers of security to your online experience. Some people prefer to save their sensitive network usage for the safety of their hardwired Ethernet connections at home or at work. So you can stay safe even when the actual KRACK attacks start. Also, nobody is stealing your Wi-Fi passwords here, and it won't help to change your login details. That's not what this encryption-mangling attack is about.
WPA2 replaced an earlier security standard known as WEP, which was found to be unsecure in 2001. By 2004, WPA2 entered the scene and has remained the best choice for secure Wi-Fi links ever since. It's been a good 13-year run.
A few hardware and software vendors have already worked up fixes for the KRACK attack. According to Ars Technica, both Ubiquiti Networks (NASDAQ:UBNT) and Hewlett-Packard Enterprise (NYSE:HPE) subsidiary Aruba Networks have produced patches for this attack vector, either blocking or blunting its effects for their enterprise-class Wi-Fi customers. Updating these routers to the latest firmware and software should restore your WPA2 connections to full security. Other network vendors are working on similar repairs, and you can track their progress at Carnegie Mellon's CERT entry for the KRACK incident.
This isn't the first blood-chilling network attack, and it won't be the last. Until your Wi-Fi-enabled routers, access points, tablets, and smartphones get their own security updates, just be careful out there.
The fixes are coming, and a patched version of WPA2 could stay relevant for years to come. But I'm sure the next next-generation security solution is already being hammered out, applying lessons learned from the KRACK panic.
Suzanne Frey, an executive at Alphabet, is a member of The Motley Fool's board of directors. Anders Bylund owns Class A shares of Alphabet. The Motley Fool owns shares of and recommends Alphabet (A and C shares) and Ubiquiti Networks. The Motley Fool has a disclosure policy.