Protect Against a KRACK Attack

A new cyber threat emerged recently, and it puts any person using a wireless network, even one with a secure password, at risk of being hacked.

The bug, called KRACK (Key Reinstallation Attack), is essentially a fundamental flaw in the WPA2 (Wi-Fi Protected Access 2) encryption that is used on all modern Wi-Fi routers. This security protocol, an upgrade from WEP, is used to secure communication between all the players in a network – routers, mobile devices, the Internet of Things. The issue in question with this threat is a flaw in the four-way handshake that permits devices using a pre-shared password to join a wi-fi network.
It gives anyone with malicious intent, and the physical proximity to the network, the ability to hack into a device that’s logged in to the system. They can then exploit that flaw to decrypt traffic like credit card information, hijack connections and passwords, and eavesdrop on communications sent from that WPA2-enabled device.
Vendors have been in the know about this for a while, and most have rushed into action to prepare patches and prevent masse exploitation of the bug. So far, so good.

But this newest vulnerability – one that could potentially affect millions of casual users at the local coffeeshop or restaurant – simply points out the fact that cyberthreats will never be eradicated. As soon as one issue is resolved, cybercriminals will be searching for the next flaw, bug or vulnerability to attack.

So how can we stay protected? Staying on top of security measures is imperative:

• Keep using password-protected wi-fi networks; they’re still the safest.
• Your device MUST be updated as soon as that pesky message to update it pops up. There’s usually a few good reasons to install an update, not the least of which is that they include patches that address discovered threats and vulnerabilities. Microsoft and Google have both recently announced they’ve released patches for this event.
• Using only sites that use HTTPS (the S signifying “secure”) can help protect you against KRACK, but HTTPS isn’t totally impervious either.
• Use a VPN (virtual private network, offered by subscription from companies such as Norton) as another layer of protection; these essentially turn a public network into a private one by encrypting your connection so your information is invisible to hackers and even internet providers.
• Make sure your passwords are strong. That won’t protect you against this particular KRACK attack because it circumvents passwords, but it is always vital to have passwords that are not easy to crack. Use combinations of letters, numbers and symbols and don’t create a password with fewer than eight (some say 10) characters.

With cyber threats constantly evolving, and new ones coming to the surface in unheard of numbers every day, the need to stay informed and ahead of these threats has never been more important.