Researchers just revealed a major security flaw in WPA2 encryption. WPA2 stands for Wi-Fi Protected Access 2 and it has been used on all certified Wi-Fi hardware since 2006 to decrypt information passing within a Wi-Fi network. Basically, it’s supposed to keep your information safe.

Turns out, it might be doing the opposite.

“[A]ttackers can use this novel attack technique to read information that was previously assumed to be safely encrypted,” Marty Vanhoef, one of the researchers from Katholieke Universiteit Leuven in Belgium, wrote. “This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. The attack works against all modern protected Wi-Fi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites.”

KRACK Attack

The flaw is called a “key reinstallation attack” or KRACK. Here’s how it works. When someone joins a WPA2-protected Wi-Fi network, the WPA2 executes a four-way handshake. Essentially, a four way handshake is an exchange of a series of codes that confirms that both the person trying to access the network and the access point itself have legitimate credentials. At the third point in the process, the key may be sent multiple times. This is the vulnerable spot, where attackers can send a user a key that’s already in use or flood the system with random numbers until one takes. Once that key is installed, the hacker has access to all of the user’s Wi-Fi traffic.

According to the paper, all devices are potentially vulnerable to attacks of this type, but Android and Linux in particular seem to be at risk because they can “be tricked into (re)installing an all-zero encryption key.” On other devices, the researchers note, it can be harder to decrypt all of the packets that are sent. Forty-one percent of Android devices are potentially vulnerable to an “exceptionally devastating variant” of the attack.

So what can you do about it?

Update your router. Considering this flaw has been known for months and withheld from the public, it’s possible there’s already a repair in the works. However, in the meantime, be sure to update your router as soon as one is available. If you’re using an Android device, it might be worth it to avoid connecting with Wi-Fi and only connect via your mobile data until this vulnerability is truly patched.

Use HTTPS Everywhere. The EFF also has a useful browser extension called HTTPS Everywhere that tells your browser to prioritize encrypted traffic over unencrypted traffic. If a site you visit defaults unencrytped HTTP, the browser extension will automatically rewrite the requests to the site to encrypted HTTPS. Tenta Browser comes with the HTTPS Everywhere extension built in -- you can manage this extension in any open tab.

HTTPS Everywhere now in Tenta Browser

Use a VPN you trust. Another option is to install a VPN or virtual private network. VPNs add another layer of encryption to your Wi-Fi connection, on top of whatever encryption is being offered by WPA2. As a result, anyone connecting using a quality VPN knows that their connection is safe, regardless of whether or not their Wi-Fi has been compromised.

One caveat when it comes to VPNS, however: They are not all created equal. With VPNs, you really do get what you pay for. There are some VPNs that offer a completely free, unlimited service, which can sound enticing at first. However, they have to get their money from somewhere and if your VPN is “free,” it’s likely that they’re getting their money by collecting and selling your data.

So be cautious. Upgrade your software. Use HTTPS. And get a VPN.