FAQ: Here's what you need to know about KRACK

Posted October 17, 2017

Hackers can exploit this vulnerability to steal your credit card numbers, passwords, emails, photos, and more.

While Windows and iOS devices are immune to one flavor of the attack, they are susceptible to others.

Earlier today, researcher Mathy Vanhoef from Belgian university KU Leuven revealed a serious flaw in the encryption that secures the connection between wireless access points and the devices connect to them, leaving Wi-Fi connections at risk of being snooped on and worse.

Back in 2005, a hacker penetrated the Wi-Fi network of USA retailer TJX to complete what was then the world's biggest-known theft of credit card numbers.

Nicknames aside, KRACK is a flaw in WPA2, a Wi-Fi network protection standard that's used in pretty much all connected devices.

In Vanhoef's proof of concept against a phone running Android 6.0, the behavior of wpa_supplicant-a Wi-Fi library used in Android and various Linux distributions-causes the encryption key to be erased from memory after being installed the first time.

That means you need to run software updates on your devices, including your smartphones and laptop. "There is no evidence that the vulnerability has been exploited maliciously", the organization added.

On a website dedicated to the vulnerability, Mr Vanhoef issued a plea to tech companies to issue security patches to protect devices against the vulnerability immediately.

Changing the password won't do any good, the devices themselves need to be updated, so if you are using old technology you may be out of luck. Customers who applied the update, or have automatic updates enabled, will already be protected.

Do not connect to unsecured Wi-Fi networks at coffee shops, public spots and hotels.

Spark has become aware overnight of a global security vulnerability that has the potential to put all Wi-Fi networks, and the devices that access those networks, at risk of being compromised.

Android and Linux on the other hand can be tricked into reinstalling an an "all-zero encryption key", or a key consisting of all zeros, which is clearly predictable and therefore allows the attacker to decrypt all encrypted packets.

Make sure that your Wi-Fi network has a password. The vulnerability is called a KRACK attack and affects the four-way handshake that occurs between an access point and a client device when the client wants to join the protected network.

At some point, the real AP will send another copy of message 3, possibly several times, until the rogue AP finally lets the message get through to the client.

Even secured websites, those with "https" in the URL, he warns, are not necessarily safe.

An easy way to tell whether you're on a secure site is to look for "https" at the beginning of the URL, or to look for a padlock icon in the URL bar.

Until further notice, treat all Wi-Fi networks like coffee shops with open wireless, where your network frames are never encrypted. The security flaw could leave millions of networks and devices prone to attacks.

This is probably overkill, especially if you follow the other three steps listed above.

A newly-discovered security flaw affects virtually every Wi-Fi device, and could render your home network as readable to hackers as the free Wi-Fi at a coffee shop.