December 28, 2017
In the last 24 hours, the internet has been flooded with some very troubling news. The WiFi technology that we all use on a daily basis has been compromised. With a severe flaw in the WiFi Protected Access 2 or WPA2 standard, we are all now vulnerable to privacy invasions by anyone who gets within range of our WiFi routers.The WPA2 hack to end all hacks is here.
This is a serious crisis in the world of internet security and measures need to be taken as soon as possible. While there will no doubt be a patch out in the wild, we strongly recommend that you make use of a VPN to encrypt the packets you send over your WiFi network. To better understand why this is important, let's look at exactly what's gone wrong with the world's WiFi security.
Before WPA 2 there was just plain old WPA. Before even that there was WEP or wired equivalency privacy. WEP is so easy to break into these days that anyone with a packet sniffer such as Aircrack-ng can break into it with relative ease. That's why no one uses it anymore. We are two generations along now and WPA 2 has been a secure solution since 2006.
WPA 2 uses strong encryption to obscure the content of your data packets. So even though a packet sniffing application can see the packets, it can't understand them without the decryption key.
Chances are if you are using network hardware that's been made in the last 10 or so years, it's using WPA 2. That's everything from your phone to your smart TV. Do you see the problem here?
In short, it's been hacked. A security researcher by the name of Mathy Vanhoef published the details of the KRACK or Key Reinstallation Attack on Monday 16 October 2017 via his website.
Vanhoef and his team found weaknesses in WPA 2 that theoretically allow an attacker to do several nasty things to your home network. Vanhoef has verified the practicality of the attack and so we have no choice but to take it very seriously. So what can an attacker do using this method?
It's important to note that WPA 2 has been sort of compromised before. For example, by using a program like Wireshark, you can decrypt WPA 2 traffic. However, you still need the passphrase to do this. This is why we have always insisted that everyone use a VPN on public WiFi. Why? Because the passphrase is public. However, on a home network, unless you give it away, no one knows what your passphrase is. KRACK changes all that and right now no one is safe.
Key re-installation targets the way that WPA 2 uses cryptographic keys. If you want to know more about encryption, you should head over to our article on VPN encryption for details. The most important thing that you should know is that the same cryptographic key should not be used twice.
Usually, your device and the WiFi router negotiate a fresh key every time they connect. What happens with this attack is that the target device is tricked into installing a key that's already in use.
This attack replays a part of the "handshake" process that WPA 2 devices use to make sure only authorized devices to have the key. By replaying that segment of the handshake, the re-installation trick is pulled off and the attacker can decrypt your WiFi traffic. It's obviously more complicated than that, but you can read the specific technical details in the research paper.
It's hard to say exactly what will happen next, but there's no doubt that this security hole will have to be fixed quickly. It's not far-fetched to expect a "WPA 3" or another new security protocol to replace what everyone is using now.
In the short term, it's like that a patch will be released for all network devices. Routers, phones, TVs and everything else with a WiFi chip will need to be patched.
None of this will be easy or carefully-controlled. Just imagine all of the network hardware companies scrambling to come up with some sort of strategy to secure the billions of devices out there. Every phone, tablet, router and more will have to be fixed and perhaps even replaced. It's going to be a mess for a while and during that time it will be up to us. We are the ones who have the responsibility for our own safety.
It's not just home users either. WPA 2-Enterprise, which is much tougher to crack, is also vulnerable to KRACK. It doesn't matter that every client on the enterprise-grade WPA has a unique key, the key re-installation attack will still work.
Now that the details of the hack are out in the wild, you can bet your bottom dollar it won't be long before the script kiddies have a set of tools they can cruise the neighborhood with.
I have to be honest with you, this is pretty bad and there is no perfect short-term solution. So there are a few things that I would suggest.
First, see how much of your networked devices can be switched over to Ethernet connections. This might seem impractical, but these days there are ways to get Ethernet where it needs to go without all that crawling in the ceiling business.
For example, you could get a set of power line Ethernet extenders. These puppies use the wiring in your home to transfer network data. So you could install one by your router and the other by your smart TV or console.
Buy: Comtrend Powerline Ethernet on Amazon ($74.50)
Not only will this give you better performance than WiFi, it means that you reduce the number of devices connecting via WiFi. That's fewer opportunities to succumb to KRACK.
Some routers have a feature known as wireless isolation. With this feature switched on, a device connected to the WiFi can't see other computers or devices on the network. It can only connect to the internet. That's it.
So even if someone does compromise a WiFi device on your network, they can't get into the rest of the goodies. It still leaves the info that device transmits to the web vulnerable, but we'll get to that next.
The downside to this is that if you use local network features such as a media server, printer or NAS then you'll have to live with only wired devices having access to them for now.
When it comes to devices that are not using Ethernet to communicate, the best we can do right now is to treat our home WiFi networks like public WiFi hotspots. Which is to say that you should use a VPN client on that device to encrypt your data with an entirely separate set of cryptographic keys.
Unfortunately, since this attack decrypts WiFi traffic itself, it doesn't help to run the VPN on the router itself. Since the traffic from your WiFi device only gets encrypted before it leaves the router on the way to the web.
By using a VPN client on the device, there's another layer of encryption even before the data is transmitted via WiFi. Which means if the attacker peels away the WPA 2 encryption, there's another layer of encryption for which they don't have the key.
If you are completely new to VPNs and how to use them, well the time is now my friends. Luckily we're all about that VPN goodness here on TechNadu. There's a host of an article on our site that will get you up to speed and back to safety quickly and easily.
Here are the article that I suggest you read and the order you should read them in:
That's a great crash course into the world of VPNs and what they can do for you. In these dire times that knowledge can save your bacon.
For those of us who are already on the VPN train, we now just have to apply our public security mindset to our private lives. Yes, it sucks, but until someone fixes the issue that's just the way this particular cookie is going to crumble.