The nail in WPA2’s coffin: how the KRACK hack affects every Wi-Fi user

Last week, we had no idea WPA2 had a coffin, let alone any nails in it, but today, it’s all over the news, from Forbes to Newsweek to The Next Web with their clever copywriting. WPA2′s security is now considered dead—six feet under—putting us all at risk. How and why? Here are questions we all have with explanations and important advice on what to do, from our CEO, Francis Dinha.

1. What is WPA2? Wi-Fi Protected Access 2, WPA2, is the strongest encryption option for Wi-Fi networks. It replaced the original WPA tech, which was created to boot out the older – far less secure – WEP (Wired Equivalent Privacy).

2. What is KRACK? This is the vulnerability found in WPA2: Key Reinstallation AttaCKs. A hacker can decrypt all data transmitted by a victim. This could include anything from credit card numbers, passwords, messages, emails, photos, and more. KRACK is a flaw which primarily hits the “client” side of WIFI/WLAN. It lures the client to connect to an access point (router) an attacker controls.  It does not break the encryption of WPA2. KRACK was caused by poor wording in the WPA2 standards specification, which did not explicitly say what should happen in a specific event when the client connects to an new access point.  Once a WLAN client is lured to connect to the attackers access point, the data traffic between the WLAN client and the Internet services it accesses can be monitored and mangled, making it easier to mount additional attacks which can compromise the connection to a service.

But the WPA2 encryption? It’s still rock solid.  

3. Who is affected? Anybody or anything using Wi-Fi: from homes to businesses, coffee shops to gyms; from computers to laptops, TVs to smartphones.

4. How could I be a victim? If an attacker is on the same wireless network as you are, they could decrypt any data you send. Dinha explains that the weakness “lets attackers located close to Wi-Fi networks trick vulnerable devices into reinstalling an already-in-use key so that the encryption process can be bypassed. Now your passwords, e-mails, and other data you thought was encrypted is not. The attacker may also inject ransomware, malware, or other malicious content into the websites you visit.”

5. Can I change my Wi-Fi password to fix it? No. All networks are at risk because it’s the way the security works that is vulnerable, not a password leak. “Wi-Fi networks typically use shared keys,” Dinha says, “most often based on AES encryption, shared amongst a collection of cryptographic ‘handshakes’ that verify the identity of networks’ clients.” KRACK uses a trick key allowing the hacker to intercept traffic, bypassing the encryption.

6. So what can I do to protect my data? Dinha outlined these five important things to do right now:

  • Update your devices as soon as security patches become available.
  • If you’re using Wi-Fi or vulnerable client devices, avoid using them until patches are available.
  • Your home network is vulnerable, so turn off password-less file sharing and update as soon as possible.
  • If Wi-Fi is your only connection option, use HTTPS, STARTTLS, Secure Shell, and other reliable protocols to encrypt web and email traffic as it passes between your device and an access point.
  • Consider using a virtual private network (VPN) such as Private Tunnel for added safety as it will encrypt your traffic!

Press Releases

In the News and Private Tunnel Blog