A recent WiFi vulnerability that affects all current WiFi connections - both in homes and on public WiFi hotspots - is causing panic around the world. The vulnerability is called KRACK and it allows hackers to bypass the WPA2 encryption that protects WiFi connections.
The result of KRACK, is that any WiFi connection can be penetrated by a hacker who has the right skills. This means that all of the data that travels from a device - including passwords, credentials, login details, credit card information, and any other sensitive data - can be intercepted by the hacker.
WPA2 is the industry standard for WiFi encryption. It is the best thing we have, and it is broken. The KRACK vulnerability permits a hacker to decrypt the actual WiFi signal. This makes everything but HTTPS, Virtual Private Network (VPN) encryption, and other forms of end to end encryption (such as Tor and Frex) vulnerable to the attack.
In fact, even if a website uses HTTPS - unless it is configured to always use it - there are ways that hackers may exploit KRACK to hijack your traffic. The configuration to always use HTTPS is called HSTS, and, unfortunately, it is not very widely used. However, as long as you ensure that you are connected to the correct web address and that you can see the closed padlock icon (in your browser address window), you should be secure.
VPN is the best solution
A VPN is an excellent solution to the problem. After all, there are some excellent VPNs on the market that cost about $70 per year. Considering the level of security and privacy that a VPN provides that is a small sum - that is hardly going to break the bank.
Unfortunately, however, there is one important consideration to bear in mind if you plan to protect yourself against the KRACK exploit with a VPN. You see, while it is true that a VPN is the best way to protect yourself against KRACK - there is an exception to this rule.
How KRACK Works
KRACK breaks the WPA2 encryption of data as it travels the WiFi radio waves between a device and a router. This means that a VPN installed on a router may not be protecting you against KRACK. This is important, because many people currently protect their network with routers that have been loaded (or "flashed”) directly with a VPN client.
Up until KRACK was discovered, flashing a router with a VPN was thought to be the best method for protecting all the devices connected to a network. This is because encrypting and decrypting data as it arrives and leaves the network at the router level protects every single device on the network (including smartphones, tablets, laptops, PCs, smart TVs, and any other connected devices). The result is that all network data is securely encrypted as it travels out from the router to and from the internet.
Still Vulnerable
The nature of the KRACK vulnerability means that a hacker located near to a router can intercept traffic traveling from the router to devices on its network. Unfortunately for people that use a VPN installed directly onto a router, their data has already been unencrypted by the VPN software at this stage.
This is troubling, because people accustomed to relying on a VPN installed directly onto their router may now be living under a false sense of security. The warning is clear: a VPN installed on a router is in the wrong place in the chain to effectively protect you against the KRACK vulnerability.
Options Are Available
For people that protect their devices with a flashed router, it is important to do find out if an update is available to patch the vulnerability. The good news is that developers of two of the most popular platforms (DD-WRT and Open-WRT) have already issued a fix. I contacted FlashRouters.com to find out what consumers should do. The firm’s spokesperson told me:
"DD-WRT and OpenWRT have patched this vulnerability quickly showcasing why they are premiere firmware options to trust versus some of the slower and delayed responses from other vendors, especially on older models. In our opinion, DD-WRT does a great job of continuing to breathe life and enhance the capabilities and securities into all kinds of router models from the original old-school WRT54Gs to the top of the line Wireless-AD Netgear R9000.”
Sadly, not all routers will be running these two types of firmware, so it is down to consumers to look into their own router model and firmware type. If an update is available to plug the KRACK vulnerability, then you are in luck. Once plugged, you can continue to use your VPN at the router level and all the devices in your home will be protected.
"Krack updates are already available and we have answered any FlashRouter users requests by sending them the build for their router. Customers and interested users can also reach out to us via FlashRouters for the latest info for their specific case. Due to the number of devices we have supported and continue to support we do not have anyone size fits all answer for actual firmware builds since each device requires its own build based on its chipset and we do not maintain an e-mail list of previous customers unless they opted in when they purchased.”
Access Point (AP) Work Around
FlashRouters admits that the solution isn't going to be available for everyone and that some people may be waiting around a long time for a patch. Luckily the DD-WRT website says that enabling the setting "Disable EAPOL Key Retries” is an option for many people:
"An AP-side workaround for key re-installation attacks (KRACK), this option can be used to mitigate KRACK on the station side (router), to help protect client devices that no longer receive updates, or receive updates very slowly. Since many devices out there will not receive an update anytime soon (if at all), it makes sense to include this workaround.
"Unfortunately, this can cause interoperability issues and reduced robustness of key negotiation, hence the default setting of disabled. This workaround is NOT needed on current builds (newer than r33555) & if you know that your client devices are updated to patch KRACK on them already, or if the vulnerability doesn't bother you. KRACK is already fixed in DD-WRT "properly" in both AP mode, & station mode (client/client bridge/WDS).”
A VPN Installed Directly Onto Devices
The easiest way to effectively protect against KRACK is with a VPN installed at the device level. This ensures that VPN encryption happens before the data is transmitted via radio waves to the router. What's more, most premium VPNs allow the service to be installed on anything from 3 to 6 devices. This is what Private Internet Access has to say:
"The best and simplest way to protect your internet connection over Wi-Fi currently is by using a VPN. Even if you connect to public Wi-Fi, the VPN will always guarantee that any data you send over Wi-Fi is private and secure. If you were using a VPN in the past, it means your data was safe even before this bug was well known.”
Anybody worried that their WiFi might get hacked is advised to get the Best VPN 2018 at once. And anybody that already uses a VPN on a router, or wants a secure DD-WRT setup for their home (to protect all of their devices against KRACK as opposed to having to install a VPN on all of their devices) can contact FlashRouters for advice on how to proceed.