Krack Attack: Security Flaw Puts Every Wi-Fi Connection at Risk
by Alyssa Newcomb
Thanks to a newly discovered security flaw, your home Wi-Fi is completely hackable, giving cyber thieves a front row seat to everything from your private chats to your baby monitor. And there's not much you can do about it — yet.
Bob Rudis, chief data scientist at Rapid7, a security data and analytics company, told NBC News this vulnerability was particularly troubling.
"When I woke up this morning and saw this one, I was taken aback," he said.
Users can protect themselves against a "Krack Attack" by making sure their smartphone and laptop are up to date with the latest patches.
Called Krack, the attack takes advantage of the four-way handshake, a process between a device and a router that has been around for 14 years and is designed to deliver a fresh, encrypted session each time you get online.
During the third step in the process, hackers can resend a key in such a way that it resets the encryption key to zero. Encryption is the process that makes your data uncrackable to anyone who might intercept it.
With an unencrypted session, hackers are then free to pry on whatever you and your devices are doing on Wi-Fi.
"The one saving grace is the attackers need to be within range of Wi-Fi networks," said Rudis. "But someone can sit outside your office or the apartment next door and do this attack from there."
The Krack attack was discovered by researchers Mathy Vanhoef and Frank Piessens of KU Leuven in Belgium and was revealed on Monday.
It's a common practice in the security world to notify vendors of an exploit before it is publicly released. On their website, the researchers said they notified vendors of the products they tested on July 14. After realizing they were dealing with a protocol weakness instead of a set of bugs, the duo alerted the United States Computer Emergency Readiness Team (CERT), who began contacting vendors in August.
CERT disclosed the exploit on Monday and included a list of vendors, when they were notified, and whether they are affected. As of Monday afternoon, many were listed as "unknown."
It's difficult to determine if any cyber criminals have used the exploit "in the wild" or are currently using it, the researchers said on their website. A demo video showed how they were able to use the attack to hack into an Android 6.0 smartphone.
Google, which develops the Android operating system, is aware of the issue and "will be patching any affected devices in the coming weeks," a spokesperson said.
Robert Siciliano, CEO of IDTheftSecurity.com, told NBC News "it's hard, if not impossible to say" if this attack has ever been used. However, given the amount of time the four-way handshake has been around, he believes it's possible someone has used it.
"This vulnerability has been in existence, some say, for up to 14 years — which means that it's entirely possible someone has already determined this flaw in the past and has exploited it," he said.
How to Protect Yourself
Fixing such a gaping problem with Wi-Fi protocol is going to require making sure your smartphone and laptop are up to date with the latest patches.
You'll also want to check for any firmware updates to your wireless router. If you're using equipment provided by your internet service provider, Rudis recommends checking with the company for the latest information on updates. If you own your router, you'll want to check to make sure you've downloaded any patches.
Since virtually every device in the world that uses Wi-Fi is vulnerable, he said it's crucial to stay on top of updates.
"I think most manufacturers will have patches soon," Rudis said. "But if you don’t see a patch for your home network equipment in at least a week, you should get a new Wi-Fi access point for your house."
While part of the solution is in the hands of vendors, home users can protect themselves now by using a "virally important" tool called a VPN — a virtual private network.
A quick Google search will lead to some VPN options, which range from free to a few dollars per month. IPVanish VPN and Private Internet Access VPN are two popular choices.
"The minute you do that, you negate this vulnerability," Rudis said. Hackers might still be able to capture your packets — but they won't be able to break the security.
You can also safely browse at HTTPS sites; however, that will require every link, photo, and anything else on the page to also have a secure domain, Rudis said, calling it "virtually impossible to do."
There seems to be a new vulnerability being exposed every day, bolstering the need for more resources to go toward fighting a cyber threat that continues to grow exponentially.
One in 131 emails sent last year contained malware, marking the highest rate in five years, according to a report from Symantec.
The growing threat is costing companies — and consumers — big bucks.
Cyber security spending is expected to top $1 trillion between 2017 and 2021, according to Cybersecurity Ventures, and that's largely fueled by the growing number of hacking threats.
The disclosure on Monday was one of the more troubling ones in recent times for security experts, though they also stressed it's inevitable.
"Think of anything mechanical, even think of food," Siciliano told NBC News. "Occasionally you see a recall because an airbag is hurting people or because brakes aren't working because the design was flawed... Nothing will ever be perfect."