KRACK – the latest threat to connected devices

Posted on: 08 November 2017

Industry News icon
  • Newly discovered wireless security vulnerability, KRACK, could allow a hacker (in Wi-Fi range) to intercept your internet communications, including passwords and credit card details.
  • Businesses and individuals can help protect themselves by following some straightforward security steps.

The risks posed by connecting to open and unprotected Wi-Fi networks have been known for several years now. Since 2004, it’s been possible to secure Wi-Fi networks and this has eased concerns about snooping.

This is thanks to the WPA2 (Wi-Fi Protected Access II) protocol, a specification for wireless network security that safeguards your online activities. These access points are most often found at businesses premises and in public Wi-Fi hotspots – you probably come across these most often in cafés or when using public transport.
 

A new threat

KRACK (Key Reinstallation Attack) takes advantage of a recently discovered vulnerability in WPA2 that lets hackers break encryption shielding connections.

If someone were to do this to your connection, they’d be able to tamper with the traffic of data between your device and the wireless internet router it is connected to. It would then be possible for them to extract sensitive information like login and banking details. Additionally, they could modify the exchange of requests going between the router and your device so that you get presented with ‘imposter’ webpages which trick you into sharing data or allowing access to your device.

So, should everyone stop using WPA2?

No. The advice is to continue using WPA2 to protect your connections; it is still the best option to secure your device and activity. When connecting to a public network, you can be sure it has WPA2 if there’s a padlock next to the network’s name – often overlapping the icon displaying signal strength.

You can make your Wi-Fi network a less tempting target, for all sorts of attacks – not just KRACK, by password-protecting it.
 

How to defend your devices against this threat

The good news is that KRACK was discovered by a researcher (Mathy Vanhoef from the University of Leuven) with honest intentions. So instead of victims knowing about it first, manufacturers were told months before the public and they’ve had a head-start on developing fixes.

On top of avoiding unprotected Wi-Fi connections, users must ensure that all devices are updated as soon as any updates become available. These updates will often contain security patches which resolve flaws, such as KRACK, or provide defence against new and emerging threats.

For businesses, it may be worth reminding workers to shut down their computers at the end of each day, instead of leaving them on standby overnight, as it’s usually during the boot process that updates are installed. While issuing this reminder, it could also be mentioned that no one should ever use an unsecured Wi-Fi connection (during external business meetings, for instance).
 

What should I tell my customers?

Help businesses and individuals protect themselves against KRACK and other cyber threats by reiterating how important it is to use secure internet access points and install system and software updates as soon as possible during your discussions with them.

In addition, Allianz Commercial policyholders can:

You can find out more about KRACK on its discoverer’s website: krackattacks.com.