If you thought your protected Wi-Fi was safe, think again. Nearly all devices are affected by the new KRACK exploit.
Taylor MartinCNET Contributor
Taylor Martin has covered technology online for over six years. He has reviewed smartphones for Pocketnow and Android Authority and loves building stuff on his YouTube channel, MOD. He has a dangerous obsession with coffee and is afraid of free time.
Solid advice for setting up a new wireless router or Wi-Fi network in your home is to password-protect it. Set a secure password using Wi-Fi Protected Access 2 (WPA2) and only share it with those you trust.
Since the WPA2 standard became available in 2004, this was the recommended setup for wireless area networks everywhere -- and it was thought to be relatively secure. That said, like the deadbolt on your house, password protection is really only a strong deterrent. Like most things, as secure as WPA2 was believed to be, it was only ever as strong as your password or any vulnerabilities discovered in its security.
Over the weekend, a vulnerability was indeed discovered and turned the internet on its head.
A proof-of-concept exploit called KRACK (which stands for Key Reinstallation Attack) was unveiled. The ominously named crypto attack exploits a flaw in the four-way handshake process between a user's device trying to connect and a Wi-Fi network. It allows an attacker unauthorized access to the network without the password, effectively opening up the possibility of exposing credit card information, personal passwords, messages, emails and practically any other data on your device.
The even more terrifying bit? Practically any implementation of a WPA2 network is affected by this vulnerability, and it's not the access point that's vulnerable. Instead, KRACK targets the devices you use to connect to the wireless network.
The website demonstrating the proof-of-concept states, "Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys and others are all affected by some variant of the attacks." That said, most current versions of Windows and and iOS devices are not as susceptible to attacks, thanks to how Microsoft and Apple implemented the WPA2 standard. Linux and Android-based devices are more vulnerable to KRACK.
Editor's note: Originally published Oct. 16, 2017, this article has been updated to include new vendors with security patches for the WPA2 exploit.
Watch this: Wi-Fi has a big security flaw - and you need to act now
What you can do
So what can you do right now?
Keep using the WPA2 protocol for your networks. It still the most secure option available for most wireless networks.
Update all your devices and operating systems to the latest versions. The most effective thing you can do is check for updates for all of your electronics and make sure they stay updated. Users are at the mercy of manufacturers and their ability to update existing products. Microsoft, for example, has already released a security update to patch the vulnerability. Google said in a statement that it "will be patching any affected devices in the coming weeks." Patches for Linux's hostapd and WPA Supplicant are also available.
Changing your passwords won't help. It never hurts to create more secure password, but this attack circumvents the password altogether, so it won't help.
Know that a KRACK is mostly a local vulnerability -- attackers need to be within range of a wireless network. That doesn't mean your home network is totally impervious to an attack, but the odds of a widespread attack are low due to the way the attack works. You're more likely to run into this attack on a public network. For more, read our FAQ on KRACK.
Available updates so far
The good news is that with such a dangerous vulnerability, companies have been quick to patch their software. Here's a list of all the companies that have released security patches or information so far:
Apple has already created a patch for the exploit in betas for iOS, MacOS, WatchOS and TVOS.
Wi-Fi Alliancenow requires testing for the vulnerability and provides a detection tool for Wi-Fi Alliance members.
WatchGuardreleased patches for Fireware OS, WatchGuard access points and WatchGuard Wi-Fi Cloud.
A list of vendors that have patched the vulnerability can be found on the CERT website, though the site appears to be under heavy traffic.
More important KRACK facts
Fortunately, there are a few comforting thoughts:
The Wi-Fi Alliance stated it now "requires testing for this vulnerability within our global certification lab network," which is promising for for any new devices headed to shelves. It's also providing a vulnerability detection tool for Wi-Fi Alliance members to test their products with.
Using a virtual private network (VPN) will encrypt all your internet traffic and could protect you from such an attack. Not to mention, it's good practice to use a VPN if you care about your online privacy or security anyway.
Strictly using sites that use HTTPS can help protect you against KRACK, but HTTPS isn't totally impervious either.
This is a developing story. Check back for additional tips as we have them.