A security flaw has been discovered that could be used to hack into any device that uses Wi-Fi.
That includes your phone, your laptop, your PlayStation and your smart fridge.
How does the hack work?
According to Mr Vanhoef, KRACK is a problem with Wi-Fi itself, not any particular device.
That’s what makes it so concerning.
The attack manipulates and replays cryptographic handshake messages in the four-way handshake that is used when you attempt to connect to a protected Wi-Fi network, if you’re after the technical explanation.
Simply, it allows someone to access your device through a password-protected Wi-Fi network.
“Any device that uses Wi-Fi is likely vulnerable,” Mr Vanhoef said.
Should I change my password?
It won’t make any difference.
That’s because KRACK doesn’t need your password to get access.
Mr Vanhoef does note that it’s never a bad idea to change your Wi-Fi password anyway.
It just won’t protect you from a KRACK attack.
What could be stolen?
Mr Vanhoef says he’s used the technique to steal a whole swathe of information that is supposed to be safely encrypted.
- Credit card numbers
- Chat messages
How can I protect myself?
The good news is the flaw looks like it can be fixed with a similar software update in most devices.
In fact, Microsoft has already released a patch for Windows that fixes the flaw and Apple will roll out an update in a few weeks that does the same according to CNET.
So make sure you’re up to date with any patches on your devices that use Wi-Fi (smartphones, PCs etc.) as well as the routers themselves, and check for more updates in the next few weeks.
That’s just the start of our problems though.
Here’s Associate Professor from School of Engineering at RMIT University Mark Gregory:
“Realistically what we will see of course is that anywhere between 30-50 per cent of devices won’t be patched,” he said.
“We’re now in a situation where we need to consider Wi-Fi to be insecure until we know that what we’re connecting to has been patched.”
You need to be really careful with public Wi-Fi
Professor Gregory says it’s going to be a major area of concern in the months ahead.
You probably don’t need to worry too much about a public Wi-Fi connection at your local government-run library or at a major fast food establishment because they’ve got massive IT departments to fix this kind of thing.
Your favourite boutique coffee shop though? That’s another story.
“The problem is where we have cafes and smaller companies that are offering Wi-Fi it’s likely that the access points won’t be patched and therein lies the problem,” he said.
Patching your own device doesn’t guarantee you’re safe either.
“If the actual access point hasn’t been patched, the information you’re sending to that access point can be looked at by people who are connected,” Professor Gregory said.
Has KRACK been used by malicious hackers?
We simply don’t know.
Mr Vanheof said he let vendors know about the hack after he discovered it in July, but there’s no way to tell if it has been used by people with malicious purposes before then.
This can’t be used to hack into your computer remotely though, so we’re not likely to see something on the scale of the WannaCry ransomware attack.
The US Department of Homeland Security said someone using this flaw would need to be in range of your Wi-Fi network to exploit it.
Professor Gregory says the Federal Government should step in to ensure companies which make Wi-Fi devices are patching security flaws like KRACKs.
“We simply cannot have a major system like Wi-Fi being left vulnerable,” he said.
“We’ve got all these government departments that are now linked into a national security hub and we’ve got these newly employed security tsars. It’s time the government put them to work.”