A major flaw in Wi-Fi router security has been revealed which affects all modern Wi-Fi networks, and puts homes and businesses around the world at risk.
The exploit, dubbed "KRACK" (Key Reinstallation Attacks) by security researcher Mathy Vanhoef, breaks the WPA2 encryption commonly used to protect traffic on Wi-Fi networks. Not only could this permit eavesdropping by allowing hackers to decrypt supposedly secure communications, it could also be used to manipulate data for advanced “man-in-the-middle” attacks.
Because the flaw is inherent in the WPA2 standard it can affect any device which uses Wi-Fi, including Android and Apple smartphones. Changing Wi-Fi passwords does not offer any protection, and it will require firmware updates for all vulnerable hardware. But this relies on manufacturers creating patches and users installing them, so there will likely be a huge number of devices left unprotected.
Although KRACK is potentially dangerous the risk to home users is fairly minimal because it requires an attacker to be in physical proximity and connected to the network. The biggest danger may come from attacks on public Wi-Fi networks, which would prove an extremely tempting target due to the large number of users, ease of access and frequently poor security.
How can I protect my Wi-Fi and internet against KRACK?
Check for firmware updates
Login to your router’s admin management page and check for a firmware update.
To do this, use a web browser to visit the router’s IP address (for example, https://192.168.0.1 - check the manual, or look for a sticker on the router itself, to find out your router's IP) and then enter the admin password - also found in the manual or printed on the router if you have not changed it from the default.
As the exploit is very new it may take some time for a patch to be released so check back regularly. It’s a good idea to get into the habit of doing this anyway.
But don't forget to check for updates for all your other devices too. Although the router is a critical bit of kit KRACK can be used against anything that connects over Wi-Fi, which includes smartphones, tablets and lots of smart home gadgets.
Use a strong Wi-Fi password and disable WPS
In order to exploit KRACK a hacker would first need to connect to your Wi-Fi network. Make life as difficult as possible by shoring up your router's password security.
Passwords should be at least 12 characters and must not be a phrase which could be guessed or cracked with a dictionary attack (which use lists of words and common passwords).
We would also recommend disabling the 'WPS' feature found on most routers. This is designed to make it easy to connect Wi-Fi devices by pressing a button or entering a code, but it is vulnerable to attacks which can allow hackers to connect to your Wi-Fi.
Check that your router is using WPA2-AES encryption for wireless networking rather than WPA2-TKIP. Although both are vulnerable to KRACK, WPA2-AES does prevent more damaging hacks. Do not use WPA or WEP, which are older and even more insecure standards.
KRACK breaks the encryption on Wi-Fi networks but does not by itself do anything to affect encrypted web sites, your connection with them is protected by HTTPS. So long as you stick to using sites with secure links (look for the padlock symbol in the browser) you can be fairly confident that nobody is listening in.
Connect with a VPN
A Virtual Private Network (VPN) is a proxy service which encrypts all internet data, so even if you are using a network compromised by KRACK it will not be possible for the average hacker to see your internet activity, whether or not the web sites you’re accessing are using HTTPS. VPNs aren’t bullet-proof, and you do need to trust the VPN provider, but for the average person they provide a high level of security. If you’re not sure where to start we have a guide to using a VPN.