krackThis week, security researchers identified an obscure, but severe vulnerability in the WPA2 protocol, something that’s responsible for ensuring the security of nearly every modern Wi-Fi-enabled device. Since this vulnerability may impact essentially anyone connected to Wi-Fi, the moment the implications of this vulnerability became clear, news of it spread relatively quickly among both tech and non-tech publications. Unfortunately, given the details surrounding the vulnerability, it might not be clear to the average user what this is about and how it impacts them. To help, we’re breaking down the details surrounding this vulnerability and explaining what users can do to stay safe.

What’s this all about?

You might have seen headlines like “Wi-Fi is Broken,” which are true to some extent, as the severity of this vulnerability cannot be understated, but might be confusing to the average user. What you should know is that the vulnerability in question, exploitable through an attack which has been dubbed KRACK (Key Reinstallation Attack) by the Belgian academic researcher who identified it, allows for the encryption standard most wireless devices use (WPA2) to be bypassed. Doing this means that someone can potentially view any data flowing between your wireless device, such as your phone or laptop, and your Wi-Fi network. As such, if you have a device that communicates using Wi-Fi, be it a phone, computer or router, you should assume it’s able to be compromised.

How does KRACK work?

The details of how KRACK works are fairly technical, but it’s important to note that the attack doesn’t actually break encryption, not directly at least, and instead exploits a weakness in an authentication method WPA2 uses to establish a connection. This exploit allows a malicious actor to communicate with a wireless device or network. From there, depending on how the network is configured, they can either view traffic or manipulate it with a man-in-the-middle attack. In this regard, KRACK is similar to many of the exploits hackers pull off on patrons using public Wi-Fi, but unlike those exploits, KRACK can affect any Wi-Fi-enabled device from anywhere — meaning that with this vulnerability, avoiding public Wi-Fi is no longer enough to stay safe online.

As dreadful as this all sounds, some silver linings do remain. First, it’s not clear that anyone has exploited this vulnerability or knows how it works, given how technical it is. Second, some technology vendors have already developed or are already working on patches for the issue. Third, network traffic is usually encrypted on multiple levels. For example, HTTPS is a layer of encryption independent of WPA2, so even if this WPA2 exploit is used, assuming the victim is browsing HTTPS websites, they’re (technically) safe. Finally, the hack requires physical proximity to the target device (be it a router or computer), meaning that it isn’t likely that the average individual has been targeted by this kind of exploit. Still, the last point is not a license to disregard the severity of this issue; while you shouldn’t panic, news of this issue should put you on notice, as there are a few things you should do to ensure your information remains safe and isn’t compromised (as we detail below).

How are tech companies and manufacturers responding to the news?

Because this is an implementation issue with a security protocol, the responsibility falls on manufacturers, not consumers, to fix this issue. Luckily, security experts are saying that although KRACK is severe, it doesn’t break WPA2 as an encryption standard (previous standards like WPA1 and WEP have been broken completely, forcing the need to migrate to newer types of Wi-Fi encryption). Given this, tech manufacturers and software developers will need to patch their products to make sure KRACK won’t affect them.

One of the first things you should do is to take a tally of all of the Wi-Fi enabled devices in your life – phones, routers, smart devices – and find out what company made each of them. Once you have that information, you’ll want to visit each of the manufacturers’ websites to see if your devices have any updates specifically addressing KRACK-related vulnerabilities. There are vendors who’ve already made statements about their progress on patches, but you’ll want to make sure that all of your devices – from the most frequently used to the obscure – get patched. Any devices whose manufacturers are slow to respond or notify consumers about their progress should be used with caution (or disconnected for the time being) in the coming weeks. Given the severity of this issue, and the increasing role the cybersecurity plays in our lives, it’s important that companies who don’t take cybersecurity seriously not continue to enjoy consumer support.

Something else that you should keep in mind is that your router’s settings might be subject to a configuration that your Internet Service Provider (ISP) has chosen. If this is the case, you should listen out to news from your ISP and monitor its public response. If you’re not fully comfortable with its response, you might be able to switch providers or, at the very least, be able to purchase a router that you’ll have more control over, as opposed to renting or borrowing one.

How can you stay safe?

It’s important to know that even though there are companies that have already made a public announcement about potential updates, it might be weeks before some devices actually receive these updates. Until then, here’s how you can best stay safe.

Stick to sites with HTTPS (or use a VPN)

As mentioned above, web traffic can be encrypted at different levels. Wi-Fi encryption, like WPA2, ensures that no one outside of a network (and others sharing your connection) can view your activity. HTTPS is its own form of encryption that hides contents shared between a user and a server, rather than on the network the user is connected to. So even if your Wi-Fi network has been breached, a hacker would need some separate exploit to decrypt the contents of your connection to a site with HTTPS. This is why it’s very important for you to stick to HTTPS sites whenever possible, especially when inputting text into forms online. Alternatively, you can use a Virtual Private Network, assuming that you find one that you trust.

Disable your phone’s Wi-Fi if you’re not using it

We’ve spoken before about metadata and how “always connected” devices – wearables or other Internet of Things (IoT) devices – can compromise your privacy and security. Now that we know Wi-Fi has inherent vulnerabilities, you’ll want to only have Wi-Fi enabled when you’re actively connected to the Internet. That means turning off your phone’s Wi-Fi whenever you’re not using the Internet and sticking to cellular data when you can.

Avoid public Wi-Fi

We’ve spoken at length before about the dangers of public Wi-Fi, but if you weren’t convinced before, this should definitely convince you now. While all Wi-Fi networks are at risk of KRACK, since public Wi-Fi is easily accessible and always running, there’s a far greater likelihood that someone has or will compromise your favorite coffee shop’s hotspot with this exploit. If you absolutely must use public Wi-Fi, make sure to run a well-configured VPN or a plugin like HTTPS Everywhere that will make all of your online activity HTTPS.

Think twice before using IoT devices

The vulnerabilities of IoT products is something we’ve covered extensively. As such, it’s important for you to realize that, like with public Wi-Fi, this announcement also means that the security of IoT devices is something that is now in question, if it wasn’t already. The reason is that IoT devices often have hard-coded security settings, and even when they don’t, it can take longer for these devices to receive security updates. A vulnerability this serious is something that needs to be addressed immediately, meaning a class of devices lacking a stringent security standard, like IoT devices, could introduce unnecessary weaknesses to your network.

Be selective about connecting to Wi-Fi (or who you let connect to your own network)

Finally, one of the major takeaways from this vulnerability disclosure is that we should be very selective about who we let connect to our networks and what networks we connect to. While we can control the security settings of our own networks and who uses ours, we can’t control that of others. This means that we can’t ever know for sure if a friend’s Wi-Fi has been compromised. Perhaps a friend of a friend did something or a mooching neighbor made modifications when no one was looking. Whatever the case is, you should think long and hard about where you’re connecting to Wi-Fi and why.

Continue reading our technology blog for more detailed and comprehensive analyses of the latest technology related news.