On Monday we received the shocking news that WPA 2, the security protocol that protects almost all WiFi, has a serious flaw. Security research Mathy Vanhoef and his team published their findings, detailing how someone could almost trivially decrypt traffic on modern WiFi network.
You can read more about the so-called KRACK attack in our first KRACK article, but for now, it's important to know that the way you use WiFi needs to change until the flaw is dealt with by the networking industry.
Using KRACK or key re-installation attacks, a hacker could potentially capture your personal information from thin air. They could even inject viruses and ransomware onto your computers. As long as they can get within range of your WiFi, the attack is possible. Unless you live on a farm or somewhere else few people come near your home, you need to take steps immediately.
Go To Town With Updates
Quite a few companies have been quick to patch this vulnerability from their devices. Apple has already addressed the issue with the latest iOS 11 update. Microsoft also already released security patching to curb the issue.
If you're using an Android phone you may have to wait a while. Bigger brands such as Samsung will probably get fixes out quickly. If you have a more obscure brand of phone it may be better to avoid using its WiFi feature until you are sure the issue has been fixed.
Check every wireless device that you own for security updates. Check the manufacturer websites or send them requests on the topic of a KRACK patch.
Take Care of Your Router
Your router is a key part of the puzzle that makes KRACK possible.Router makers need to come up with a fix quickly and this fix will be delivered via a firmware update. The same approach as above is advisable. Immediately check your router's manufacturer site for any news on how they will deal with KRACK. If there is nothing, write them an email asking for an update. Should the vulnerability not be patched out of the router itself you'll never have an acceptable level of security.
If you have a branded router that you bought yourself or is available at retail, the chances are pretty good that patches will be out sooner rather than later.
If you got a re-branded router along with your service provider contract then the news may be less than stellar. Many of these cheap rebrands hardly ever get support or updates. If you can't get a firm answer from your ISP or router updates it may be time for more drastic measures.
Check if Your Router Works With DD-WRT
DD-WRT is one of the best-known open source, third-party router firmware offers. It's a great way to get the most out of a router, but it's also an open source project which means fixes come quickly as everyone pulls together.
As I write this the folk behind DD-WRT were already on the issue and I fully expect a new build of DD-WRT with the flaw patched out will be released soon.
If your router supports DD-WRT, this may be just the excuse you've been looking for to take the plunge. There's always a chance you could trash your router with a botched update, but if it's not getting an OEM patch it should go in the bin anyway.
Consider Buying a New Router
KRACK is a serious enough vulnerability that it's worth throwing away WiFi equipment that seems unlikely to be patched. Identify models of the router that are confirmed to have an incoming patch or have already been patched. Throw the old router out and buy a new one. Obviously, not everyone can afford to do this, but it will be the fastest way to batten down the hatches.
Since DD-WRT is likely to patch the issue soon, you might want to have a look at our roundup of the best DD-WRT routers. Some of them are very affordable.
Ditch WiFi for Now
One of the best defenses against KRACK until WPA 2 itself can be sorted is also the most obvious one: don't use WiFi. The main way to do this is by using trusty Ethernet cables. Most routers have four Ethernet ports, but you can increase that number by adding a cheap switch.
Ethernet devices should be hooked up via a wired connection if at all practical. You can also consider using powerline Ethernet extenders to get wired connections to devices that are far from the router.
What about devices that don't have Ethernet ports? Let's deal with that next.
Switch off WiFi IoT Devices
This is the age of home automation. We have tons of WiFi stuff now. Thermostats, cameras and all sorts of other devices are talking on your network. Some of them are only equipped with WiFi. So if there is no patch out yet for that device you are better off just switching it off and doing without it for now. Even one unpatched device on your network can be an open door for a hacker.
Use Mobile Data
Since your smartphone or tablet probably does not have an Ethernet port, the best idea right now might be to switch off the WiFi and fall back on mobile data. This is true on any WiFi network. Unless you know that either the phone or router have been patched.
Tether Smartphones and Tablets
If you have to make large file transfers unsuitable for expensive mobile data, why not go back to data cable transfers? It's a stroke of luck that iTunes recently brought back app downloads via the client. Samsung users might use Kies and for those who do not have dedicated clients, there's always USB storage mode.
Add More Encryption
The main reason that KRACK is so dangerous boils down to the fact that it negates the layer of encryption WPA 2 encases your WiFi data in. The encryption is very strong, but the KRACK attack provides the attacker with the key to unlocking it.
However, you can create an inner layer of encryption. So if the WPA 2 encryption is actually defeated, all the hacker will find is more encryption, except this time they'll have no key.
Many of the websites that you already use have their own independent encryption. When you see "https" at the start of the web address it means that it's secure. Sites that deal with sensitive information such as online shops and online banking facilities almost universally use HTTPS.
There are many that don't use secure protocols and so we have to add some more.
There's a browser extension called HTTPS Everywhere and it does exactly what it says on the tin. It adds HTTPS security to websites that do not already have it.
One thing you need to understand however is that this will only protect data sent to and from your browser. Other network traffic that comes from applications other than your browser might not be encrypted. They can leak sensitive personal information about you over your WiFi connection. Which neatly brings us to the next encryption option.
The VPN Solution
A VPN or virtual private network creates a private, encrypted tunnel between the VPN client and server. If you run a VPN client on your phone or computer ALL network data is encrypted before it is transmitted over WiFi. The only entity that can see your information is the VPN provider.
This is a very effective way to protect yourself against a KRACK attack, but of course much depends on how trustworthy the VPN provider is. After all, there's no point in volunteering your private info to big-time crooks to protect against the small-time variety.
That's why we're always on the lookout for reputable and worthwhile VPN services. Check out our VPN buyer's guide and our selection of the top 5 VPN services for October 2017.
Locked and Loaded
KRACK is the biggest security snafu in a long time. There's a lot of panicked behavior at the moment, but if you keep a cool head then there is little to worry about.
Yes, some of the measures we've detailed here can make life a little less convenient, but it's a small price to pay in order to stop a major privacy leak from happening to you.
Let's recap what you need to do:
- Update all WiFi devices.
- Sort your router out as soon as possible.
- Go back to Ethernet.
- Switch off WiFi on your phone until patched.
- Switch off all unpatched WiFi devices.
- Get a VPN or some other form of additional encryption.
If you follow these general tips you should be ready to frustrate the average bored script kiddie who decides it would be funny to root around your network. There is no such thing as 100% security, but that doesn't mean we have to make it easy for them!