KRACK is a vulnerability discovered by Mathy Vanhoef and published on October 16 2017 that allows anyone on the same network to read and change the internet data you transmit over Wi-Fi.
It affects all types of WPA2, the only Wi-Fi protection previously known to be secure, and the vulnerability works regardless of how strong your Wi-Fi password is.
KRACK is receiving a lot of attention from the press and experts in the security industry, and vendors are currently working on providing patches to devices that use Wi-Fi, such as computers, phones and access points.
If you used Wi-Fi any time in the past, you were affected. This means that anyone with knowledge of this vulnerability in the past could have had access to your data transmitted using Wi-Fi, such as your username and password on websites, unless you were using a VPN.
The vendors mentioned in the paper were notified about the vulnerability around 14 July 2017, and a broader notification to all vendors was sent on 28 August 2017.
In particular, exploiting this on Android phones is very simple due to an additional bug. Until an update is published by your Android manufacturer, it's safe to assume your Wi-Fi traffic is not safe. Unfortunately some Android manufacturers can take months to provide an update, even of serious security fixes.
The researcher also mentions "attacking macOS (..) is significantly easier than discussed in the paper", so although details about this macOS attack are not known yet, it's safe to assume that your macOS Wi-Fi can also be easily read.
The best and simplest way to protect your internet connection over Wi-Fi currently is by using a VPN. Even if you connect to public Wi-Fi, the VPN will always guarantee that any data you send over Wi-Fi is private and secure. If you were using a VPN in the past, it means your data was safe even before this bug was well known.
If you aren’t using a VPN, websites you visit might protect your data if they are configured to always use https. Even if your website uses https, unless it's configured to always use it, there are ways that anyone exploiting this Wi-Fi vulnerability can force your computer or phone to not use https when they're eavesdropping so they can read your data. This configuration to always use https, called HSTS, is unfortunately not very widely used, and not very easily verifiable by the average user.
Also unless you are using a VPN, privacy of data from apps you use will depend solely on the protection built in by the app creator. Unfortunately for the average user, there's no way to verify if your data is being securely transmitted or not.
If you are a customer, all your data has been fully protected from KRACK even when using a vulnerable phone or computer in the past. Your data was never visible to eavesdroppers when you were on Wi-Fi, be it public or private.
If you don’t have an account, sign up below and you’ll be protected from KRACK in just a few minutes.
3041+ Servers in 28 Countries...and growing