KRACK Wi-Fi exploit has exposed a big hole in the WPA2 Wi-Fi standard that makes billions of devices vulnerable to attacks when connected to Wi-Fi. This vulnerability impacts most of the devices out there that can connect to Wi-Fi.
Currently, all modern protected Wi-Fi networks use the 4-way handshake. This implies all these networks are affected by (some variant of) our attack. For instance, the attack works against personal and enterprise Wi-Fi networks, against the older WPA and the latest WPA2 standard, and even against networks that only use AES. All our attacks against WPA2 use a novel technique called a key reinstallation attack (KRACK):
It is claimed by the security researcher who made this vulnerability public that as many as 41% Android phones are impacted.
Because Android uses wpa_supplicant, Android 6.0 and above also contains this vulnerability. This makes it trivial to intercept and manipulate traffic sent by these Linux and Android devices. Note that currently 41% of Android devices are vulnerable to this exceptionally devastating variant of our attack.
How to protect yourself from KRACK:
Wi-Fi plays such an important role in this connected life of ours that it may be difficult to imagine living without it. Now since WPA2 vulnerability impacts even protected Enterprise and personal networks, we can only try protecting ourselves before the exploit is patched.
- Update all your devices (Phones, Tablets, IOTs, Computers) and Wi-Fi Routers to the latest security patches. Switch on the automatic updates for your devices wherever possible. Update firmware for routers and other IOT devices.
- Use Ethernet cables instead of Wi-Fi routers as this hack doesn’t impact LAN networks.
- Avoid public Wi-Fi hotspots like plague.
- Use cellular data on your phone instead of Wi-Fi. This can be costly but will protect your device too.
- Even if you have to use Wi-Fi, you should only access sites and web pages with https encryption. You need to check that web page loads with https protocol before making any important transaction.
- You can also install the HTTPS Everywhere extension on Google Chrome, Firefox or Opera. This makes the browser to force https on all sites that you visit.
- Using a high-quality paid and known VPN is a good idea to keep yourself protected, though need to check the VPN provider’s credibility first.