Researchers at a Belgian university revealed Monday that huge numbers of Wi-Fi-enabled devices are vulnerable to a newly discovered hack nicknamed Krack.
“Concretely, attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted,” wrote the researchers from Katholieke Universiteit Leuven. “This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on.”
The attack exploits a flaw in how the WPA2 Wi-Fi encryption system is typically implemented. It essentially tricks devices into reusing what are meant to be onetime encryption settings across multiple messages, making it possible for attackers to decode them.
Computers and phones running iOS, Android Windows, Linux, as well as Wi-Fi hardware from companies including Cisco and Ubiquity Networks, are all affected by the issue. Many of those companies have already begun issuing security patches, and experts are urging customers to keep their devices up to date. New devices seeking certification by the Wi-Fi Alliance will be tested for the vulnerability, the industry group said.
But until those security fixes are fully deployed, how much of a risk is Krack to everyday consumers and businesses? Experts who spoke to Fast Company generally said not to worry too much about data being sent to most apps and websites, which nowadays tend to deploy their own encryption for anything personal or confidential.
“For most people, just making sure you patch your devices when you can is probably the right answer,” says Nikita Borisov, a professor at the University of Illinois at Urbana-Champaign known for his role in finding security flaws in earlier Wi-Fi systems.
Temporarily switching away from Wi-Fi to wired Ethernet or cellular connections is probably overkill for most users, he says.
“I think that we have seen over the past number of years much wider deployment of end-to-end encryption that works on the higher protocol layers, and that would certainly protect a lot of your communication,” he says.
Some exceptions for consumers might include internet of things devices in the home—things like music servers and Wi-Fi-enabled lightbulbs—which can lag behind other equipment in deploying encryption, he says. Of course, those would generally involve less sensitive data than websites or apps.
And for businesses, the biggest risk may come from intranet-style applications that effectively assume the corporate Wi-Fi network is secure, says Matthew Green, an assistant professor and cryptography researcher at Johns Hopkins University. Internal sites don’t always include the best encryption, and those flaws could be exploited along with the Wi-Fi weakness to steal data or for phishing-style attacks, Green says.
“Maybe there’s a way that somebody could actually redirect you to another site,” he says.
One of the most notorious corporate security breaches, the hack 10 years ago at TJ Maxx parent TJX that affected tens of millions of customers, involved exploiting weaknesses in an earlier, less secure Wi-Fi security system, Green recalls.
“That’s my guess—that if somebody uses this it’ll be a TJ Maxx kind of thing, not somebody coming after your home router,” he says.
Regardless, the Krack attack gives appmakers and website operators another incentive to ensure they’re using secure encryption themselves, so data can stay protected regardless of flaws in local networks.
“As we see more frequently, the network and OS are a target for attack and out of control of the developer,” writes Rusty Carter, vice president of product management at San Francisco security company Arxan, in an email to Fast Company. “Therefore, businesses that rely on applications to deliver value to their customers and who need to protect their brand, reputation, and their customers information, should secure the data and the applications and not just rely on the operating system or network to do it for them.”