There’s some bad news on the security front this morning, namely that your Wi-Fi network is at risk of being hacked thanks to a freshly uncovered vulnerability.
And unfortunately, this apparent flaw is in the WPA2 protocol, the tighter security used by most routers these days (the world has moved on from WPA, or the ancient WEP standard which is chock-full of holes).
According to Ars Technica (opens in new tab), the exploit is called KRACK, and security researchers plan to reveal the exact details of the flaw at 13:00 today UK time (8:00 Eastern Time).
- Check out our best VPN guide; any of the top-rated VPN services is likely to be good enough to protect yourself, even with KRACK around.
US-CERT (Computer Emergency Readiness Team) has already issued an advisory that warns: “US-CERT has become aware of several key management vulnerabilities in the four-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol.
“The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others. Note that as protocol-level issues, most or all correct implementations of the standard will be affected.”
So the dangers range from simple eavesdropping to fully hijacking the connection, and misusing it to whatever ends the attacker might wish.
The exploit can apparently be leveraged in the third stage of the aforementioned four-way handshake, during which the encryption key can be resent multiple times, and the encryption subsequently undermined using a cryptographic nonce (which is short for ‘number used once’).
The practical upshot is that the vast majority of home and business WPA2 networks will be affected, with some already arguing that WPA2 is now effectively heading the same way as WEP (a short trip down redundant lane).
While some manufacturers have already patched their routers or network hardware, or are in the process of doing so, it’s likely that the response from other vendors will be worryingly sluggish (or indeed non-existent in some cases: in which case, maybe it’s time to buy a new router, perhaps on Black Friday).
All that said, it’s not clear how easy this exploit will be to leverage, and we’ll know more about that when the full revelation of the vulnerability comes later today. That will affect how likely it is that your average home user will be in danger here, as if this flaw isn’t an easy hole to open, the focus might be on juicier business networks (in other words, those worth the effort).
It’s all speculation at this point, but if you’re at all worried, you can always switch to using a VPN (so your data is encrypted anyway, in that case), or stick to HTTPS sites (which employ encryption, as opposed to plain HTTP) where possible.
Failing that, to be really safe, where possible you can use a wired Ethernet connection rather than Wi-Fi.
For further information on the response to this Wi-Fi vulnerability, and how it’s being addressed by the big tech companies including Apple, Google and Microsoft, read our follow-up story here.
- Do your web browsing in style with one of our best laptops