The security protocol currently used to protect the vast majority of Wi-Fi connections has been broken, the US-CERT and the Belgian university KU Leuven publicly disclosed on October 16, 2017. The weakness exposes wireless Internet traffic to malicious eavesdroppers and attacks.
In other words: hackers can snoop on your online traffic, even if the network security is properly configured with the WPA2 protocol, which seemed reliable only a couple of days ago. It turns out that using wireless Internet networks without a VPN may be even riskier than thought before.
The issue with WPA2, known as a proof-of-concept exploit called KRACK (Key Reinstallation Attacks), allow “attackers to eavesdrop Wi-Fi traffic passing between computers and access points,” Ars Technica reported.
The US-CERT has recently distributed an advisory to about 100 organizations, warning that the discovered weakness can allow an attacker to decrypt network traffic from a WPA2-enabled device and hijack connections. Depending on the network configuration, it is also possible hackers could inject and manipulate data.
These are “protocol-level issues,” meaning that “most or all correct implementations of the standard will be affected.”
As stated by a researcher familiar with the vulnerability, it works by exploiting a four-way handshake used to establish a key for traffic encryption. During the third step of the process, the supposedly unique key can be resent multiple times. If a hacker can get it resent in a certain way, they can reuse it in a manner that completely undermines the encryption.
Past cases show that fixes for these types of vulnerabilities don’t come easy. Some devices will get a firmware update, but many home users might not know how to apply it or not have enough information about the threat. When the WEP protocol was cracked in 2001, it took years for ISPs to switch to routers with WPA and WPA2 enabled by default, leaving many customers at risk of attacks.
However, one researcher told Ars Technica that Aruba and Ubiquiti, which provide wireless access points to government organizations and large corporations, already have updates available to patch or mitigate the vulnerabilities. More vendors are bound to follow with security updates.
First of all, you should assume that any wireless network is vulnerable to potential breaches and take necessary precautions. At the very least, you need to use HTTPS connections whenever possible, but that will not provide full protection for your devices.
Using a reliable VPN, such as NordVPN, is the key here – it will add an extra layer of security on the entire device. VPN reroutes your online data through a ‘tunnel’ secured with military-grade encryption, ensuring that no third parties can eavesdrop on it. However, please mind that it will not help if configured on your router. Your devices must be connected to VPN from within your network.
What’s more, you should look for security patches for all smart home gadgets in your house. Depending on how their configurations, they could be hacked to leak data, and allow hackers to copy or change passwords on your locks and alarm systems.
If you’re into technical details, you can read more about the exploit at krackattacks.com. The vulnerabilities will be formally presented on November 1st in a talk titled Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 at a security conference in Dallas.