Earlier this week, a critical vulnerability in WPA2 was exposed to the public. Security researchers found that WPA2 can be abused to eavesdrop on traffic users believe to be encrypted. The attack, dubbed KRACK (Key Reinstallation Attack) affects all correct implementations of WPA2 because the flaw resides in the Wi-Fi standard itself. You can find more details concerning the vulnerabilities on KRACK attack’s website.
Here are some recommendations for mitigating this attack:
- Patch your devices. U.S. CERT released a list of vendors that were affected, but keep in mind it is most likely not definitive. Also, here is a list of all the vendors that have released patches so far.
- Enable Multi-Factor Authentication (MFA).
- Use a VPN.
- Make sure sites you visit are encrypted with HTTPS.
- Smartphone users can switch to using mobile data instead of Wi-Fi when visiting sites that handle sensitive information.
- Use a wired ethernet connection instead of Wi-Fi until patches are available for your devices.
Lessen the chances of shoulder surfing
According to researchers from the US Naval Academy and the University of Maryland Baltimore County, attackers are able to discern “swiping” unlock patterns implemented in Android devices significantly more easily than PIN combinations. The researchers showed nearly 1200 people videos recorded from different angles of users unlocking their phones via patterns and PIN. What they found was that after only one viewing of users inputting their pattern, shoulder surfers were able to reproduce it 64% of the time. However, after removing feedback lines, only 35% of the attacks were successful. In comparison, only 10% of attackers were able to replicate a six-digit PIN after one observation.
You can find more information regarding their research in their paper.
Increase your security
Below are some recommendations for increasing your defenses against shoulder surfing attacks:
- 6-digit or longer PIN.
- Biometrics (fingerprint or face).
- Disable feedback lines (Settings > Lock screen and security > Secure lock settings) if you still prefer to use a pattern over PIN.