SciShow is supported by Brilliant.org. [INTRO ♪] We’ve come to rely pretty heavily on Wi-Fi.

We’ve got our phones, computers, and watches hooked into our personal networks, not to mention all those Internet of Things gadgets, like smart refrigerators and network-enabled juice presses. Which is why the giant flaming hole in Wi-Fi security announced last week is kind of a huge deal.

The vulnerability, discovered by Belgian security researcher Mathy Vanhoef, could let hackers do things like steal credit card numbers or inject malware basically anywhere there’s Wi-Fi. And it went overlooked for 14 years. In practice, the effects might not be that bad, but experts were still taken by surprise.

The security protocol that encrypts pretty much all Wi-Fi networks is called WPA2, short for Wi-Fi Protected Access … two. It’s been around since 2004, and it was mathematically proven to be safe and to not give up passwords or encryption keys. Which … it doesn’t.

But the new vulnerability, known as Krack, gives hackers a potential workaround. Krack, short for Key Reinstallation AttaCK, exploits a process that’s an important part of WPA2 security: what’s known as the four-way handshake. The handshake is a series of messages exchanged between a client device, like your phone, and an access point, like your router, when they’re establishing a secure connection.

The first two steps of the four-way handshake involve the client and access point each making sure they have the right password. In the third message, the access point sends some additional information, and the fourth message is the client saying, “OK, we’re good to go.” Over the course of this exchange, the access point and the client agree on an encryption key, which both of them install after the fourth message. That key, along with a special number associated with the amount of data that’s been sent through the connection so far, is used to encrypt each chunk of data, or packet.

It’s kind of like a cereal box decoder ring that lets you have the rest of the conversation in code. That conversation is all of the data you’re sending and receiving on the internet, including your credit card number if you feel like finally splurging on that new video game. And Wi-Fi is beamed into the air where anyone in range can intercept it.

As long as it’s encrypted, nobody can snoop on the information you’re sending even if they intercept the message. Without knowing the code, it’s just gibberish. The Krack exploit lets hackers figure out the code by targeting the third message in the handshake.

That message can sometimes drop out because of routine blips in the connection, so if the access point doesn’t get the fourth “OK, it’s all good” message from the client, it sends the third message again, like “Hey! I don’t think you got that! Let me repeat it.” In his paper, Vanhoef found that if a hacker blocks that fourth “got it” message from getting to the access point, causing it to send the third message again, they can force a device to reinstall the encryption key, which also resets that special number.

And that’s bad. It means you’ll end up using the same encryption key and the same number— and therefore, the exact same code—over and over again. And repetition is how codes are broken.

With all those data packets encrypted with the exact same code, hackers can look for patterns that give away what the code is. It becomes way simpler to decrypt the data they’re intercepting. They could do a handful of things with this exploit, depending on the specific type of connection.

In some cases, they could theoretically send data, too, infecting the device with malware or ransomware. Now, this is a massive vulnerability, and there’s reason to take precautions. But there’s also reason not to panic, because it’s not the end of Wi-Fi as we know it.

The bad news first: since WPA2 is supposed to be so safe, it’s used to secure basically all Wi-Fi networks. All of the Wi-Fi. All of it.

So if you’re saying to yourself, “I wonder if my Wi-Fi enabled toaster is affected,” yes. Yes it is. Because it’s hooked into your home Wi-Fi network.

Hide your kids. Hide your Wi-Fi. Connecting to sites via https instead of http adds some extra security, because the https in the URL means the site is encrypted— this time between the website’s server and your browser, somewhere totally different than your computer and the access point.

But, depending on the data packets hackers manage to intercept and decrypt, there’s still a lot of information they could steal. They could also inject harmful software into sites that don’t use https— a favorite tactic they normally abuse over Wi-Fi networks that aren’t secure, like in coffee shops. The good news is that tech companies already know about Krack and are working on fixes for it.

But it’ll take time to patch everything. They’re already starting to push updates to phones and other devices. But your Wi-Fi router might need more time— not to mention your smart toaster.

And ideally, both your devices and your router should be patched. So you should definitely make sure to install any updates that come in for your devices. Even your smart hairbrush.

Is there a smart hairbrush? I don’t believe it. Another piece of good news is that a hacker would have to physically access the Wi-Fi network to pull off a Krack attack.

They couldn’t do it remotely. So unless you see someone in a sketchy van camping out across the street from your house, your personal network is probably fine. It’s a little easier to hang out near a business without anyone noticing, though, which is why this isn’t a risk to totally dismiss.

Vanhoef didn’t find evidence that people have actually been carrying out Krack-based attacks, but the risk in publishing it is that the bad guys find out too. Speaking of bad guys: right up there with hackers are chronically dishonest people, aka liars. Brilliant.org has a quiz about truthtellers and liars, and you need to use logic to figure out who’s who.

You need to know that I know that she knows ... I don't know! What I do know is that I’ve always liked riddles like this, and this is supposed to be a challenging one, so let’s go check it out!

So we're looking at Brilliant's Multi-Level Thinking course, which is one of those things that you kinda hope you're really good at, but, uh, we'll see. So here we have Alice, who says Bob is lying. But then Bob says, "Neither of us is lying." So now I have to figure out who's actually lying.

Alice is calling Bob a liar, but Bob is saying neither of us is a liar. So if Bob was telling the truth, then Alice would also be telling the truth, But Alice is saying that Bob is lying, so Alice must be telling the truth! So even though this is kinda set up as a quiz, it doesn't really feel like I'm taking a quiz.

It's just kinda fun and it kinda sets you up to think about the next problem in the right way, so that you can progress through the lesson. Thanks for joining me, checking out Brilliant's Multi-Level Thinking course. I'm really looking forward to going through their Computer Science one later and I think you might enjoy checking them out too, so go to Brilliant.org/SciShow and you can sign up for free and try them out.

The first 200 people who sign up there will get 20% off their annual subscription. [OUTRO ♪]