In an Internet of Things world in which everything from your phone to your toilet is communicating with your home router, it’s a good idea to maintain a healthy level of paranoia: If the device you’re using has Wi-Fi capabilities in it, it’s vulnerable to attack, even if it’s password-protected. It won’t be too long before your paranoia is validated — as it was today, when news of a Wi-Fi vulnerability was published. The bad news is that the vulnerability is in the very mechanism that’s supposed to keep connections secure. The good news — good being a relative term here — is that you should be able to protect yourself by upgrading all your devices.
The newly discovered vulnerability, known as the KRACK attack, concerns the WPA2 protocol that most routers use to encrypt connections between client devices — your laptop, phone, etc. — and the router. KRACK is short for “Key Reinstallation Attack” and exploits a four-way “handshake” that happens when a device connects to a network (and for those of you paying close attention, yes, “KRACK attack” is redundant, like “ATM machine”).
As KRACK discoverer Mathy Vanhoef notes, “[t]he attack works against all modern protected Wi-Fi networks,” and all sorts of devices are susceptible to the attack. In simple terms, the attack tricks devices into reusing encryption keys that should only be used once, allowing traffic between the client and the router to be intercepted and, potentially, analyzed. In addition to being protected by WPA2, web traffic can often be protected by HTTPS as well — the flaws of the former do not necessarily also compromise the latter.
If you’re interested in watching a technical video and nodding silently and saying, “Ah, I totally understand this” to yourself, you can see a narrated demo below.
As for what else to do? Just make sure that all of your devices have the most up-to-date operating system. Anything running Linux and Android 6.0 are supposedly the most vulnerable types of devices. The bug was disclosed to vendors earlier this summer, and large companies like Microsoft say that they already have a fix in place. On the flip side, there are millions of other devices that will never be upgraded but will remain in use, a ticking time bomb as we count down to oblivion.