WPA2 is a popular standard used to set up Wi-Fi networks and is most commonly used to authenticate users with a password but can also handle more sophisticated authentication schemes using usernames, certificates, and private keys.
When using WPA2, all data sent between the router and your device by default is encrypted, unlike “unprotected” Wi-Fi networks without a password. Even if you intend to hang the password up on a wall, it’s recommended to set up your Wi-Fi with a password so that all data is encrypted and cannot be intercepted by people nearby.
You should also use WPA2 over other authentication and encryption standards, like LEAP and WEP, which have several known weaknesses that allow anybody to “steal” your Wi-Fi.
What is the recent WPA2 Vulnerability?
On October 16 researcher Mathy Vanhoef released details of recently found vulnerabilities in WPA2 that allow an attacker to decrypt encrypted Wi-Fi traffic. To carry out the attack, a skilled and determined attacker must be in the range of you and your router.
The vulnerability does not allow an attacker to decrypt your VPN or HTTPS traffic.
If you have connected to a WPA2 secured Wi-Fi network in the past years, there is a theoretical chance that an attacker could have obtained the unencrypted traffic sent between you and the internet. However, it’s very likely only large spy agencies would have had access to this flaw.
But now that the vulnerability is well documented and public, we can expect tools to emerge that will make it trivial for anyone to exploit this flaw, so it’s important to fix and/or mitigate the issue.
How to avoid the WPA2 vulnerability
ExpressVPN has already released firmware that patches any possible vulnerabilities for Open-WRT routers. Go to setup to find the latest firmware and follow the instructions.
Almost all devices are affected by the WPA2 vulnerability, though to varying extents. You can check if your device is affected here.
Whatever devices you run, make sure they are up to date and run the latest firmware. It might take a few days for a router patch to become available, but in this case, you should check the website of your router manufacturer for updates.
If you are in doubt about the protection level of your Wi-Fi, you can use an Ethernet cable or make extra sure you’re connected to ExpressVPN.
What does the WPA2 vulnerability mean for ExpressVPN users?
We have investigated this issue on ExpressVPN routers, and it only seems to affect ‘client’ mode, a rarely used feature used to connect two routers with each other. Nonetheless, we released an update that protects against the flaw on ExpressVPN Open-WRT routers.
On unsecured and vulnerable networks, and even malicious ones, you’re always protected when you connect with the ExpressVPN app. If you connect a vulnerable client (e.g., your unpatched phone) to an ExpressVPN router, no one could eavesdrop on it.
We continue to recommend you configure your device using WPA2 and set a password for your Wi-Fi, as well as update your phone and laptop whenever updates are available.