As of the disclosure today, news about the WiFi “KRACK” is starting to circulate widely. It has had so much coverage that it has taken down some of the common security sites due to the volume of people trying to find out more! I think most people are already aware that you are vulnerable if you use Public WiFi that doesn’t have a password (that is part of the WiFi settings, rather than one that is set on a web page). It is relatively easy for a seasoned hacker to grab passwords and other data IF you aren’t using sites that use encryption (The green key in the browser bar – “SSL” / TLS – we’ll come back to that), or a secure VPN.
The KRACK vulnerability allows an appropriately equipped hacker to set up a fake secure WiFi access point with WPA2, which was previously thought to be secure. The hacker can then intercept traffic just as if you were on an open WiFi network. However, they shouldn’t be able to access traffic that is using application level encryption. However, it IS possible for a hacker to redirect you to an insecure site (no green key in the browser bar) and to harvest your passwords. This video by Mathy Vanhoef (who discovered the vulnerability) demonstrates how the attack works in this video:
So, some things to do in response:
- Keep an eye on that browser bar and look for the green key. Don’t use unsecured sites over WiFi you don’t trust.
- Ensure that your email clients are all set to use only SSL / Secure connections.
- Keep an eye out for software updates for your WiFi router (ones from the manufacturer obviously!).
For anything at all sensitive enable two factor authentication/2FA – most major sites support this (instructions for Facebook, instructions for Google), if they don’t you should ask them. You also may want to consider using a VPN client, if you are comfortable with how these work, and you are very sure that the VPN provider themselves isn’t a greater security risk.