Authored by a Symantec employee
Security researchers1 have discovered a major vulnerability in Wi-Fi Protected Access 2 (WPA2). WPA2 is a type of encryption used to secure the vast majority of Wi-Fi networks. A WPA2 network provides unique encryption keys for each wireless client that connects to it.
Think of encryption as a secret code that can only be deciphered if you have the “key,” and a vital technology that helps keep digital data away from intruders and identity thieves.
The vulnerability, dubbed “KRACKs” (Key Reinstallation AttaCKs), is actually a group of multiple vulnerabilities that when successfully exploited, could allow attackers to intercept and steal data transmitted across a Wi-Fi network. Digital personal information that is transmitted over the Internet or stored on your connected devices — such as your driver’s license number, credit card numbers, and more — could be vulnerable. All of this personal information can be used toward committing identity theft, such as accessing your bank or investment accounts without your knowledge.
In some instances, attackers could also have the ability to manipulate web pages, turning them into fake websites to collect your information or to install malware on your devices.
What should you do?
Wi-Fi users should immediately update their Wi-Fi-enabled devices as soon as a software update is made available. Wi-Fi enabled devices are anything that connects to the Internet — from laptops, tablets, and smartphones to other smart devices such as wearables and home appliances.
Should you change your Wi-Fi password?
No. This vulnerability does not affect the password to your router’s Wi-Fi network. Regardless of if your Wi-Fi network is password protected, this new vulnerability still puts your data at risk because it affects the devices and the Wi-Fi itself, not your home router, which is what the password protects.
The researchers who discovered this vulnerability state that the attack could be “especially catastrophic” against version 2.4 and above of wpa_supplicant, a Wi-Fi client commonly used on Linux and Android 6.0 and above.
If you are using an Android phone, you will need to go the manufacturer’s website to see if there is a new patch available for this vulnerability.
Are hackers already exploiting this vulnerability?
Not yet. But as with many newly discovered vulnerabilities, it is only a matter of time before hackers find ways to exploit this weakness to their advantage.
What else can you do to help protect your connected devices while waiting for a software update?
Keep in mind that it may take some time for the manufacturer of your devices to come up with a security patch. In the meantime, there are extra steps you can take to help secure your devices.
We strongly recommend that users install and use a reputable VPN on all their mobile devices and computers before connecting to any Wi-Fi network. By using a secure virtual private network (VPN) on your smartphones and computers, your web traffic will be encrypted and your data will be safe from interception by a hacker. A VPN creates a “secure tunnel” where information sent over a Wi-Fi connection is encrypted, making data sent to and from your device more secure.
Norton WiFi Privacy uses bank-grade encryption by employing the same encryption technologies that leading banks deploy, so you can rest assured that your information stays secure and private. You can also browse anonymously and protect your privacy with Norton WiFi Privacy. Mask your online activities and location with this no-log VPN that encrypts your personal information but never stores your online activity or location.
By using a secure VPN (Virtual Private Network) such as Norton WiFi Privacy, your web traffic will be encrypted by additional means and will be protected against interception.
Additionally, only using HTTPS-enabled websites means your web traffic will also be encrypted by SSL and may be safer from this vulnerability. HTTPS browsing adds an extra layer of security by using encryption via the website you are visiting.
Disclaimers and references:
Symantec Corporation, the world’s leading cyber security company, allows organizations, governments, and people to secure their most important data wherever it lives. More than 50 million people and families rely on Symantec’s Norton and LifeLock comprehensive digital safety platform to help protect their personal information, devices, home networks, and identities.
© 2017 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, Norton, Norton by Symantec, LifeLock, and the Lockman Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the United States and other countries. Firefox is a trademark of Mozilla Foundation. Google Chrome is a trademark of Google, Inc. Mac, iPhone and iPad are trademarks of Apple Inc. Microsoft and the Windows logo are trademarks of Microsoft Corporation in the United States and/or other countries. The Android robot is reproduced or modified from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution License. Other names may be trademarks of their respective owners.