Mathy Vanhoef has discovered what may be the biggest vulnerability of the year - a flaw in the WPA2 protocol used to encrypt Wi-Fi communications.
In the wrong hands, an attacker could exploit the vulnerability in WPA2’s handshake protocols to intercept sensitive information such as passwords. At risk-devices include those running Android, Apple, Linux, OpenBSD and Windows operating systems.
Vanhoef describes the attack as being “exceptionally devastating against Linux and Android 6.0 or higher.”
However, don’t panic too much.
Much of the web these days (and an increasing number of apps) are using HTTPS/SSL for encryption, limiting the opportunities for stealing information through the KRACK attack.
Furthermore, an attacker has to be within range of your Wi-Fi network to launch a KRACK attack against it. This isn’t something that a hacker on the other side of the world can use to spy on you.
Finally, Wi-Fi hardware vendors were informed responsibly of the KRACK attack from July onwards, long before it was made public - meaning that many have been beavering away developing fixes. Accordingly, there is a long list of advisories from many different vendors that you can peruse at your leisure.
The rules haven’t changed - reduce the risk by patching your devices as soon as security updates are released. And, if you have access to a trusted VPN service, use it to add an additional layer of protection!
Oh and a side note. Developers who *hadn’t* been properly following the WPA2 specification ironically found that their software *wasn’t* vulnerable to exploitation. There’s really no justice in the world, is there?
Hear more about KRACK in this episode of the “Smashing Security” podcast: