Your internet connection might not be secure.
WPA2, the security protocol used to protect most Wi-Fi connections, has reportedly been cracked. This means that wireless internet traffic could be vulnerable to eavesdroppers and attacks.
At 8 a.m. EDT October 16, researchers plan to share the findings of their proof-of-concept exploit called KRACK, which is short for Key Reinstallation Attacks.
US-CERT, the Computer Emergency Readiness Team, issued the following warning, first published by Ars Technica:
“US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol. The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others. Note that as protocol-level issues, most or all correct implementations of the standard will be affected. The CERT/CC and the reporting researcher KU Leuven, will be publicly disclosing these vulnerabilities on 16 October 2017.”
The details and severity of the threat will become clearer once the findings have been released. However, if the vulnerability of WPA2 is similar to that of earlier security standards like WEP, this could be one of the “biggest online security threats ever.” Mashable reports that regardless of the strength of your password, Wi-Fi connections could be open to hackers, and users concerned about the security of their connection should avoid using Wi-Fi entirely until a solution is in place.
Ars Technica suggests that people use “HTTPS, STARTTLS, Secure Shell, and other reliable protocols” for encryption in the interim. Virtual Private Networks (VPNs) can also be used, but must be chosen carefully, as many do not actually make the connection more secure.
Yet there is no need for total panic—yet. An expert told The Guardian that connections to secure websites should still be safe. He also suggested that “it’s likely” that users’ protocols don’t rely solely on WPA2 encryption, meaning that information sent over the network is not automatically in jeopardy.
We’ll know more when KRACK is revealed later today.
