A researcher in Belgium, Mathy Vanhoef, has discovered a new security flaw which can affect your Wi-Fi connection. The issue comes from a weakness in the wireless security protocol WPA2, and can potentially expose wireless internet traffic to eavesdroppers and attacks.

According to Vanhoef’s report, “Attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted. This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos and so on.” He also said that, “the attack works against all modern protected Wi-Fi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites.”

The vulnerability has been named KRACK, short for Key Reinstallation AttaCK, and affects several operating systems and devices including Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and more. Windows has already announced that they have released a security update to patch the vulnerability, and other companies are working on a fix.

Luckily, hackers can only implement an attack if they are within range of your Wi-Fi network, and the vulnerability does not exploit your Wi-Fi password. The attack is also unlikely to affect the security of information sent over a network that is protected in addition to WPA2 encryption. So, connections to secure websites using HTTPS (those that display a padlock in the address bar) are safe, as well as other encrypted connections such as virtual private networks (VPN). On the flip side, websites that do have a secure connection should be considered public and viewable until the vulnerability is fixed.

Routers and all devices should be updated when a security update is released. It is a little more challenging to update a router in your home as updates are infrequently released, but your updated devices will still be able to communicate with an insecure router. If a router patch is not released quickly, you may want to consider purchasing a wireless access point that has already been patched.  Plugging that into your router and disabling Wi-Fi on the router itself can make your Wi-Fi secure.

The most important lesson to take away from this vulnerability is that you cannot rely solely on one form of security. You can’t just trust your Wi-Fi router, you also need to make sure you are using a secure web connection and have PCs password protected, ideally on a domain.

If you have any questions or concerns, feel free to contact us!