A critical weakness in the protocol used to protect WiFi connections can be exploited to decrypt any data traveling between a WiFi client and the router it is connected to. Some variant of the Krack Attack vulnerability is present in nearly every WiFi device in the world. Unlike many vulnerabilities, this one isn’t the result of a bug in a specific implementation of the software, but a flaw in the WPA2 standard that developers base their implementations on.
The immediate consequence of the vulnerability to Krack Attacks is that WiFi networks cannot be trusted. Most of us are familiar with the idea that open WiFi networks we don’t control should be treated with suspicion — sending unencrypted sensitive data from a coffee shop isn’t a good idea. But the new vulnerability means that even WiFi networks we do control can’t be entirely trusted because of the flawed security protocol.
It’s not easy to exploit the vulnerability: the attackers have to be connected to the same WiFi network, but the risk is still significant.
It should be pointed out that WPA2 only handles data that travels between the client — a mobile device or laptop — and the wireless router. If data is also encrypted with a different protocol at a different level of the network stack, that encryption is unaffected. The flaw in WPA2 does not mean that people can intercept and decrypt information sent over SSL-secured connections.
Mitigating The Risk Of Krack Attacks
We expect fixes for routers and client devices and applications will be made available as soon as possible. As ever, updating your devices is the best way to mitigate the impact of this vulnerability.
As I’ve already noted, users of websites and eCommerce stores protected by SSL certificates have an additional layer of protection that will prevent an attacker from reading sensitive information even if they can decrypt the WPA2 connection.
All Magento stores should be protected by SSL certificates — payment gateway services use SSL by default, but without an SSL certificate for your Magento store, other sensitive information can be observed by an attacker. Responsible eCommerce merchants protect their customers with SSL certificates.
One scenario in which both Magento and WordPress site owners are at risk is when carrying out work on a site over an unencrypted connection: FTP is a common example. If an outside contractor or developer is working on your site from a WiFi network vulnerable to a Krack Attack, there’s nothing to protect sensitive data.
We offer OpenVPN virtual private networks for WordPress dedicated server and Magento dedicated server hosting clients to allow site and store owners to grant secure access to third-parties. Once logged in to an OpenVPN network, all communication is encrypted, protecting data even if it travels over a vulnerable WiFi network.
Learn More About Krack Attacks
Krack Attack stands for Key Reinstallation Attack, and it exploits a flaw in the 4-way handshake that takes place between a WiFi client and a router. When your device connects to a wireless router, a conversation between the devices sets up a shared encryption key that is used to encrypt subsequent traffic.
Krack Attacks trick WiFi clients into reinstalling a key that is known to the attacker. A key should only be able to be installed once: if an attacker can force the same key to be reinstalled, they can, along with other information collected from the network, decrypt the connection. You can see the full details of how this works on the Key Reinstallation Attacks website.