Close your laptop and exit the coffee shop—public Wi-Fi is not safe.
On Monday, security researchers disclosed a severe flaw in the protocols used by all modern Wi-Fi networks that gives hackers a way to steal personal information from nearly all of your internet-connected devices, including smartphones, laptops, tablets, and smartwatches. The weakness leaves your credit card numbers, passwords, chat messages, emails, photos, and other personal information at risk. It could even let attackers inject and manipulate data by adding ransomware or malware onto a website.
Yes, we all hear these dire warnings about scary “hackers” all the time. But this one is serious. So serious, in fact, that you should avoid connecting any of your tech to public Wi-Fi unless you’re certain its received patches to fix a critical weakness in the wireless standard.
Here’s what you need to know before working remote results in a full-blown disaster.
Every Wi-Fi device is vulnerable
While all Wi-Fi-enabled devices are affected by the flaw, Android smartphones and Linux computers are most vulnerable to a particularly devastating variant of the attack.
The most effective attack was used against “clients,” not access points (like your home router), but you should still avoid connecting to public Wi-Fi services. The attack, dubbed “KRACK,” is only effective if the hacker is in proximity to your device, so you’re likely more safe at home or at work. But popular areas for public Wi-Fi, like your local coffee shop or airport, remain at risk.
Not only do these networks allow access without authentication, but there is also the uncertainty that the equipment providing the connection is outdated and, therefore, unsecure. There’s virtually no way of knowing if a public access point has received the necessary updates to fix the KRACK flaw or whether those updates were ever installed.
When can I reconnect?
None of the online guides for safely browsing public Wi-Fi will save you from this latest vulnerability. We recommend staying away from public Wi-Fi until your devices receive software updates that fix the issue. If you’re not sure, search your device’s manufacturer to see if they’ve released a statement on the matter or created a support page with links on how to update your device’s Wi-Fi security. Until then, use cellular networks when possible or connect your gadgets directly to a router to bypass the wireless protocol.
READ MORE:
- The best free VPN to maintain your privacy online
- How a VPN works—and why experts think you should use one
- The best free antivirus tools for Windows and Mac
The good news is that you don’t need to rely on businesses and venues to update the firmware on their routers. The security researchers who discovered KRACK, Mathy Vanhoef, explained why in a blog post (emphasis his):
“No, luckily implementations can be patched in a backwards-compatible manner. This means a patched client can still communicate with an unpatched access point, and vice versa. In other words, a patched client or access points sends exactly the same handshake messages as before, and at exactly the same moments in time. However, the security updates will assure a key is only installed once, preventing our attacks.”
Even without KRACK, public Wi-Fi is considered extremely insecure. To bolster your defenses, you should always use a virtual private network (VPN) when connecting to a public Wi-Fi access point. A VPN will encrypt your traffic and give you an added layer of protection.
⚠️#infosec PSA⚠️
— Cisco_East_SE (@Cisco_East_SE) October 16, 2017
If you're using public #WiFi, there's no better time to encrypt ALL your traffic with VPN (IPSEC/SSL). #KRACK pic.twitter.com/M0bwx8unuu
Who released a fix?
Companies are scrambling to release firmware updates to their products to fix the potentially devastating vulnerability. Here’s a look at who is and isn’t safe from the attack.
Starbucks, the world’s largest coffee chain and hub for free internet moochers, told the Daily Dot that its public Wi-Fi systems were not affected by the hack.
“I can share that Starbucks takes very seriously its obligation to protect our customers. We have controls in place to protect our customers and can confirm that our systems are not impacted by the Krack Wi-Fi attack.”
Given the severity and breadth of the KRACK vulnerability, however, you should still use a VPN when connecting to Starbucks Wi-Fi (as you always should anyway).
Microsoft told Forbes that all users who manually apply the latest update or have automatic updates enabled are protected.
Apple has not publicly commented on how its latest versions of macOS and iOS are affected by KRACK. However, iMore’s Rene Ritchie reports that Apple’s various operating systems are only partially affected and that the company has rolled out patches in beta versions of its software.
https://twitter.com/reneritchie/status/919988216501030914
Google promised a fix for its devices “in the coming weeks.” Google’s Pixel and Nexus devices will be the first to receive the update followed by devices from third-party vendors like Samsung and LG. The company said it will also release a fix for its routers as soon as possible.
Intel issued an update for a bunch of popular Wi-Fi cards commonly used in laptops. You can download the fix at this link.
Belkin provided the Daily Dot with the following statement, saying it will posts updates regarding its products “if and when required”:
“Belkin International (Belkin Linksys, and Wemo) is aware of the WPA vulnerability. Our security teams are verifying details and we will advise accordingly. Also know that we are committed to putting the customer first and are planning to post instructions on our security advisory page on what customers can do to update their products, if and when required.”
Netgear told us it already fixed several of its products.
NETGEAR is aware of the recently publicized security exploit KRACK, which takes advantage of security vulnerabilities in WPA2 (WiFi Protected Access II). NETGEAR has published fixes for multiple products and is working on fixes for others. Please follow the security advisory for updates.
We reached out to several other companies and will update this article if we hear back.