New ‘KRACK’ bug puts millions of devices at risk and affects anyone using Wi-Fi, says security expert.
Details of a newly discovered WPA2 (Wi-Fi Protected Access II) flaw have been made by Mathy Vanhoef, a security expert from Belgian university KU Leuven.
The bug, known as ‘KRACK’, (for Key Reinstallation Attack), has exposed a fundamental flaw in WPA2, the most common protocol used in securing most modern wireless networks. According to Mathy Vanhoef, the weakness lies in the protocol’s four-way handshake, which securely allows new devices with a pre-shared password to join networks.
He said: “The attack works against all modern protected Wi-Fi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransom-ware or other malware into websites… The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected.”
All at risk
The findings mean that the previously robust security protocol used to protect the vast majority of Wi-Fi connections is no longer secure. The flaw potentially exposes all wireless internet traffic regardless of how ‘secure’ otherwise a wireless network may be, to malicious eavesdroppers and attacks.
Crucially, KRACK bypasses password protection, meaning that every device connected to a Wi-Fi network is vulnerable and “attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted,” says Vanhoef’s report. “This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos and so on” – regardless of whatever other security has been implemented.
“During our initial research, we discovered ourselves that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others, are all affected by some variant of the attacks.” Or basically everything, not to put too fine a point on it…
Are we all doomed?
Not necessarily. Not yet anyway.
For one thing, despite the severity of the issue, attackers need to be close physically to a Wi-Fi access point to carry out an attack. The research data was also released to device manufacturers several months ago, and the issue should be fixed by backward compatible updates, and users should update their routers and devices as soon as possible. According to the Guardian website, Microsoft have already released a patch, while Google said it would be releasing one in the coming weeks.
Secure your network now – download the latest security software – right here on FileHippo.