Some very bad news for anyone who uses Wi-Fi: Security researchers have found severe flaws in the Wi-Fi Protected Access II protocol (WPA2), the security protocol most commonly used to secure your data as it travels across a Wi-Fi network. A proof-of-concept attack dubbed "KRACK" could allow hackers to "steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos," and "works against all modern protected Wi-Fi networks" according to the informational website set up by researcher Mathy Vanhoef.
The actual details of the hack get a little bit technical, but essentially the attacker can manipulate the security handshake that Wi-Fi networks perform with devices that connect to them, stealing the numerical key that would otherwise encrypt the transmitted data. This allows attackers to effectively eavesdrop on any information a connected device sends across the compromised network.
This vulnerability is particularly concerning because WPA2 protection is the most common and most advanced form of Wi-Fi security available to the average person. Previous protocols, like Wired Equivalent Privacy (WEP) have been retired due to the ease with which they can be cracked. WEP passwords, for instance, can be cracked in a matter of minutes using widely available software. WPA2, first instituted in 2006, is the current, modern standard for Wi-Fi security.
There is some good news. The vulnerability is fixable with software updates to Wi-Fi enabled devices. The Wi-Fi Alliance, an organisation helps make sure various wireless devices work well together, has a game plan to help raise awareness and facilitate testing and security updates for affected gadgets. And while these vulnerabilities allow attackers to breach networks, technologies like HTTPS and end-to-end encrypted apps and services like Signal and Whatsapp are designed to protect your privacy even when used over an untrusted network.
So what should you do if you're concerned about your digital safety? First and foremost, update your phone, computer, or other devices when they receive security updates. In the meantime, and just generally if you want to be particularly safe, assume that any Wi-Fi network you are using (especially public ones) may be compromised. Don't transmit any sensitive personal information (like credit card numbers, or important login credentials) unless you are using an app with end-to-end encryption or connected to a website via HTTPS—if your browser shows a little lock in the address bar and says "secure," you should be safe.
Another extreme but reliable way to preserve your online privacy is to use a VPN, which will not only protect your sensitive data from eavesdroppers on a compromised Wi-Fi network, but also from your ISP which has been cleared by congress to collect your data and sell it to advertisers. If you go down that route however, be very careful in choosing a VPN, because some sketchier services might rather sell you themselves out than actually protect your privacy.
Security updates will certainly be coming soon. Many vendors were notified of these problems in late August. But patches don't always move quickly and there are always avenues for sophisticated and determined hackers. The best action you can take is to maintain good security hygiene and stay slightly, appropriately, paranoid. Be safe out there.
