Wi-Fi, the wireless data transfer technology practically all of us use on a daily basis, is in trouble.
The WPA2 security protocol, a widespread standard for Wi-Fi security that's used on nearly every Wi-Fi router, has apparently been cracked.
The details on the security exploit, which is called KRACK, or Key Reinstallation Attacks, are to be released at 8am ET Monday on the site www.krackattacks.com.
But according to a new advisory by US-CERT, via Ars Technica, there are "several key management vulnerabilities" in WPA2, allowing for "decryption, packet replay, TCP connection hijacking, HTTP content injection." The worst part? These are "protocol-level issues," meaning that "most or all correct implementations of the standard will be affected."
We'll know more when the details about KRACK are released, but if it turns out that one can use this exploit in a fairly simple and reliable way, then this is one of the biggest online security threats ever.
To see why, one has to go just a little bit back into the past. Wi-Fi used to be secured with a standard called WEP, which was found to be vulnerable to a multitude of attacks, many of which don't require the attacker to have physical access to the Wi-Fi equipment or even be connected to the network. Over time, tools that make these attacks simple have been developed, and now, if your Wi-Fi is protected by WEP, there's a choice of simple mobile and desktop apps that crack your password in seconds (no matter how long or complicated it is).
Because of these issues, WEP was mostly replaced with WPA and, later, WPA2, which are far more secure. Though there were ways to crack a WPA2-protected Wi-Fi router, if your password was long and complicated enough, it made it a lot harder or nearly impossible to do.
(For completeness' sake, one hacking tool, called Reaver, can crack WPA2-protected routers no matter the password, but it's fairly simple to protect your router — you simply have to turn off a feature called WPS.)
If this latest vulnerability is similar to the way WEP is vulnerable — and it looks like it is at the moment — then it won't matter how strong a password you chose. This would make hundreds of millions of routers out there, used by individuals and businesses alike, open to hackers. It would mean that, if you care about security, you should not use Wi-Fi at all until this is fixed. At the very least, you should use HTTPS connections whenever possible, and a good VPN might add another layer of security.
And fixes for these types of things don't come easy. Some routers will probably get a firmware update, but a lot of home users might not know how to apply it, or be aware that this is a threat. Again, going back to the time when WEP was cracked in 2001, it took years for ISPs to start shipping routers with WPA and WPA2 enabled as default, leaving many customers wide open to attacks.
We'll know more after the announcement today; stay tuned for updates.
