Remember the KRACK Wi-Fi flaw that was publicly revealed last year? It’s a widespread exploit that affects every WPA2 encrypted device in the world.
It’s a scary flaw since it can allow an attacker to intercept data from a nearby Wi-Fi network, including personal data, private messages, records and web activity. Basically, anything that’s normally protected and encrypted by the WPA2 standard.
The worst thing about this flaw is that it is inherent in the Wi-Fi standard itself and any implementation of WPA2 is likely susceptible. That means if left unpatched, every Wi-Fi gadget you own – smartphones, computers, routers, tablets – can be exploited.
However, aside from KRACK, another flaw has emerged. And this one can crack your password even without your interaction!
Read on and see why it’s probably time to retire your WPA2 router soon.
New WPA 2 flaw found
Security researcher Jens “Atom” Steube has discovered a new attack technique that can crack the passwords of WPA/WPA 2 routers without user interaction.
The flaw was accidentally found while Steube was researching methods to hack WPA3, the upcoming Wi-Fi security standard.
Steube said that the attack doesn’t use traditional methods of Wi-Fi password cracks like handshake interception and brute-forcing, where an attacker has to wait for someone to connect to the network first.
Instead, this technique exploits a router’s Robust Security Network (RSN) protocol. With this new attack, a hacker doesn’t even need user involvement. By gathering the RSN information elements of a Wi-Fi network, its password can be stolen easily and discreetly.
Once a router is compromised, hackers can then do further attacks like eavesdropping on user activity and perform man-in-the-middle attacks that could allow an intruder to insert malicious content to whatever website a connected user is visiting.
Steube believes that this attack will work against “all 802.11i/p/q/r networks with roaming functions enabled.” This means all modern routers are likely vulnerable.
WPA3 is safe from this attack
Conveniently enough, the upcoming new Wi-Fi security protocol WPA3 is resistant to this technique.
Since WPA3 uses a system called Simultaneous Authentication of Equals (SAE), it requires constant interaction and will block requests after several failed attempts.
WPA3’s authentication system is also much stronger than WPA2 and it will protect your network even when you decide to use a weak Wi-Fi password. Furthermore, it will protect managed networks with a more centralized authentication system.
What you can do (for now)
Choose a stronger password
Although Steube’s attack doesn’t require client interaction, it still requires brute-force techniques. To better protect your network, please choose a long and complex password for both your administrator interface and your Wi-Fi encryption.
Turn off remote administration
Some routers allow remote administration so you or tech support can log in to your router remotely to fix problems or perform other tasks. Naturally, this leaves an opening for a hacker to log in.
Unless you actually use this feature, I would just turn it off. Again, this is in your router settings, usually under the Remote Administration heading.
How to prepare for WPA3
WPA2 is getting long in the tooth and emerging flaws like this new attack mean it is time for it to go. Thankfully, the much secure and robust WPA3 is now rolling out.
Since WPA3 is an entirely new standard and it’s meant to replace WPA2, you may have to buy new “WPA3 certified” equipment to take advantage of it.
Although some of the security enhancements may make it in WPA2 devices (especially the ones that address the KRACK flaw), the full WPA3 standard will be only available in new equipment.
However, the rollout of WPA3 doesn’t mean that your WPA2 gadgets will stop working soon. WPA3 routers will be backward compatible with WPA2 and even WPA gadgets for a long time.
Eventually though (probably by late 2019), WPA3 will be required for gadgets to be Wi-Fi certified.
If you’re shopping around for a new router, look for the “WPA3 Certified” sticker if you want to future-proof it.