Wi-Fi networks vulnerable to cyber intrusions due to flaw in cryptographic protocol, report researchers
Researchers disclosed Monday morning that a major security flaw in the WPA2 Wi-FI security protocol used by almost all Wi-Fi networks, from laptops to routers, has been discovered, which could enable hackers to steal sensitive data and spread malicious malware. The attack does not work across the web; although devices that support Wi-Fi are likely affected.
The bug, dubbed Key Reinstallation Attack or ‘Krack” for short, was discovered by Mathy Vanhoef and Frank Piessens of Katholieke Universiteit Leuven (KU Leuven). The researcher published a website highlighting the security issue for a general audience, in addition to a research paper for a more technical audience.
“Concretely, attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted,” the researchers wrote. “This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. Krack works against all modern protected Wi-Fi networks.”
The researchers added variants of the attack could impact Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys and other companies that sell-internet products; and can be “especially catastrophic” against version 2.4 and above of wpa_supplicant, a Wi-Fi client commonly used on Linux.
The researchers noted Wi-Fi passwords do not need to be changed, since Krack doesn’t work using passwords. Instead, Krack involves setting up a rogue network within range of an actual network, and using the actual network’s name in order to connect devices.
Specifically, Krack works by taking advantage of a four-way “handshake,” which is used to establish a key for encrypting traffic. The researchers discovered a hacker can cause key resets by gathering and replaying transmissions, thereby collapsing the encryption protocol. According to the researchers, this is the first attack against the WPA2 protocol that doesn’t rely on password guessing.
“The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected. To prevent the attack, users must update affected products as soon as security updates become available. Note that if your device supports Wi-Fi, it is most likely affected.”
Users can take countermeasures against Krack by using a VPN, keep careful watch of certificate errors, check Wi-Fi access points waiting for software updates and patch a device’s operating system.