Q: What should I be doing to protect myself from the new Wi-Fi hacking problem?
Wireless internet access has always been more vulnerable to unauthorized access than a wired connection because it’s a broadcast technology. It’s essentially broadcasting a signal that only requires a person with ill intent to be in range of your signal to do harm.
Security protocols
To combat unauthorized users from accessing private airwaves, people have had various protection protocols to choose from when setting up routers: WEP, WPA and WPA2.
WEP, or Wired Equivalent Privacy, was the first way of encrypting wireless transmissions, but proved to be vulnerable to hacking as security flaws were discovered.
Luckily, a more difficult-to-hack encryption was available — WPA, or Wi-Fi Protected Access — when the major WEP security flaws were discovered. But as time went on, WPA became vulnerable through security flaws.
So people could turn to WPA2, which is what is most used today.
The KRACK problem
Although WPA2 wasn’t technically “un-hackable,” it would take enough effort and time that it made random acts of hacking undesirable. Nevertheless, a flaw was recently discovered by a security researcher in Belgium that allowed this highest level of security to be compromised fairly easily.
Code-named KRACK, or Key Re-installation Attack, actually exploited the protocol in a completely different way: It didn’t target the Wi-Fi access point, but the various devices that connect to it instead.
The website that explained this proof-of-concept compromise said that virtually every device that has Wi-Fi capabilities was potentially at-risk and could become victim to everything from stolen usernames and passwords to injecting ransomware into websites.
The good news
As scary as this sounds, there are a few hurdles that will make this exploit more difficult to pull off.
First off, the hacker would need to be near enough to access your Wi-Fi signal, so it eliminates the remote hacking options that the skilled underworld prefers. This exploit primarily takes advantage of interactions with unsecured sites using http://, so whenever you see https:// in the website you’re accessing or within a secured app on your phone, there is yet another layer of security that they would have to break.
Most of today’s browsers automatically attempt to connect via https:// when it’s available, but if you want to play it safe, you can add a browser plug-in called HTTPS Everywhere.
The security researcher also notified companies ahead of the public announcement, so updates from Microsoft and Apple have already created updates for the exploit.
Update everything!
Until a new security protocol is created, WPA2 is the best available, so continue to use it, but make sure you update every device that you use for sensitive transmissions on Wi-Fi as soon as patches are made available. A comprehensive list of technology vendors, along with any information about known updates, is available here. This is a dynamic list, so revisit it often or check directly with your device vendor.
The bad news
Some devices may not ever get a patch, especially older or embedded devices that have no option for updating. With the growing popularity of smart devices in the home, adding new security devices makes sense, which I’ll explain next week.
Ken Colburn is founder and CEO of Data Doctors Computer Services. Ask any tech question on Facebook or Twitter.