This WPA2 KRACK attack means your WiFi is not secure – even though everyone thought it was
Credit card numbers, passwords, emails and photos could be seen by any attacker.
A bombshell new report says it doesn't matter how good your password is, or what other security settings you have – if you're using WiFi, it's possible for someone to spy on every single thing you do.
And it affects essentially every WiFi network being used, from your private home set-up to the one at your local coffee shop.
The discovery of this serious new issue comes from Mathy Vanhoef, a Belgian computer security researcher. Vanhoef published the findings Monday on a dedicated website, KRACKattacks.com.
The flaw lets people "read information that was previously assumed to be safely encrypted," Vanhoef wrote. "This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on."
And the scope is potentially huge: "The attack works against all modern protected Wi-Fi networks," he said.
How it works
We're going to keep this part brief, because it gets very technical very quick.
It concerns the use of "WPA2," a proven method of protecting data on a network. (You've probably seen it when setting up WiFi at a new house or apartment.) WPA2 has been used to make WiFi connections secure for a decade now – it's the "modern standard," Consumerist explains, because it was thought to be well-protected.
The flaw Vanhoef discovered is in the core function of WPA2, during what's referred to as a "4-way handshake." The WiFi access point and the device that's connecting to it talk to each other to make sure credentials match. The device gets issued a new, fresh encryption key, which secures any data that gets sent over that connection (so web browsing, streaming, etc.).
But there's a way for an attacker to have the WiFi access point and your device redo part of that "handshake" process. It forces the device to take an already-used encryption key – not a fresh new one. That gives the attacker an opening to spy on any data that goes over the connection.
Here's a short demo video from Vanhoef (but heads-up, it's pretty technical):