WPA2, which secures the connection between a computer or a mobile phone and a wireless access point, is vulnerable to a type of computer attack. Some tips to avoid being hacked.
Serious flaws in how most contemporary wireless networks are secure have been proved by two security researchers .
Discovered by Mathy Vanhoef and Frank Piessens of the Catholic University of Leuven, the vulnerability affects the protocol "WiFi Protected Access 2" WPA2.
WPA2 secures the connection between a computer or a mobile phone and a wireless access point for our navigation.
This security can be hacked: it is possible for someone to read what is transmitted over the network, allowing it to intercept passwords or credit card details, but also to inject malicious code when users visit websites.
A flaw dubbed "KRACK"
Nicknamed "Key Resettlement Attack" (KRACK), the discovery of# Vanhoef Piessens and has the most serious implications for devices using the Android operating system, in particular 6.0 and higher, and systems using Linux.
But do not panic right away: although almost all devices that use the wifi are vulnerable KRACK can be deployed in certain circumstances. And there are some simple steps you can do to help keep your safe Internet traffic.
Understanding WPA2
Most secure wireless networks using the WPA2 security protocol. It allows users to connect to a network and secure their communications.
The encryption process uses a set of secret keys that are agreed upon between the connection device and the wireless access point. These keys are used to scramble the messages on the network and provide protection against someone sitting in an Internet cafe, for example, attempting to listen to messages between laptops and wireless router.
WPA2 was established to address the weaknesses of previous protocols used to secure wireless networks, such as Wired Equivalency Privacy (WEP) and the first version of WPA.
Until now, it was probably the safest .
How KRACK works ?
Attack of the "middle man"
KRACK Attacks: How WPA2 Android and Linux protocol is exceeded.
In this scenario, the attacker can request that the third message is sent, resulting in the reuse of an existing key. These keys are used to scramble the contents of messages to prevent it from being read, but also to check whether messages have been altered in any way whatsoever. By forcing the recycling of waste keys, these protections are effectively removed.
As the key is re-set to zero in Android 6.0 devices, this means that the keys are known (they are zero), and messages can be easily decrypted. On other platforms, and depending on the circumstances, only a few posts may be exposed.
What does this mean to you?
Vendors of affected devices seem to be aware of the vulnerability since July or August . As the attack is wifi customers, devices such as mobile phones and laptops are most at risk.
Some safety tips:
Make sure to update your devices. Apple and Google have announced to the media that they have corrected the problem within a few weeks. Microsoft has already released a patch, and other companies have already corrected the vulnerability or have corrected shortly. The key message is that you should immediately apply all the updates coming out for phones, laptops or other devices. This is especially true for Android phones.
Use sites with HTTPS. Until patches are available, it is good to remember that the wireless networks, even when secured, will protect communications to wireless access point. For protection from end to end with websites, we rely on HTTPS to ensure secure communications.
Make sure to look in the URL of the sites you visit. Normally this would protect users even on a compromised network, although it is possible to bypass HTTPS if the Web site is not securely configured.
Use of encrypted services. Other papers, such as those used to send and receive email, should also be encrypted. Although this is not always the case. Services such as Gmail are encrypted by default . Other applications that use their own encryption end to end, like Facebook Messenger, WhatsApp and FaceTime, would also secure.
Get a VPN. One way to ensure secure communication while using any form of wireless network is to use a virtual private network (VPN) connection. VPNs provide their own encryption, which protects all communications sent over the wireless network and still provide this protection, even in the case of a person using WPA2 KRACK.
We are not all doomed
While this is a serious breach, it is not a mere technical breach and requires the attacker to be close to the wifi network. The attacker must also rely on the device to get attacked on unprotected sites, non-HTTPS and not using VPN.
As pointed out by commentators in the industry, this situation is not as serious as the media headlines might suggest. But consider that this is a timely reminder to install software updates on all your devices.
The original version of this article was published on https://theconversation.com/uk