A recently uncovered Wi-Fi vulnerability poses real security risks, with potential attackers able to access users’ internet traffic and intercept sensitive information.
Earlier this week, researchers unveiled details of the “KRACK” exploit that takes advantage of vulnerabilities in the WPA2 Wi-Fi security protocol to allow attackers to intercept and modify wireless traffic between computers and wireless access points, such as home routers.
The vulnerability was uncovered by Mathy Vanhoef, a postdoctoral researcher at KU Leuven University in Belgium, who yesterday published details of the exploit in a paper titled “Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2“.
On his website, KrackAttacks, Vanhoef warns:
“The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected. To prevent the attack, users must update affected products as soon as security updates become available. Note that if your device supports Wi-Fi, it is most likely affected. During our initial research, we discovered ourselves that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others, are all affected by some variant of the attacks.”
The US Computer Emergency Readiness Team (US-CERT) explains the extent of the problem:
“US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol. The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others. Note that as protocol-level issues, most or all correct implementations of the standard will be affected.”
All Wi-Fi devices are to some degree susceptible to the vulnerabilities making them ripe for data theft or ransomware code injection from any malicious hacker nearby, but Vanhoef says the main worry right now is Android, with some manufacturers and networks very slow to issue security updates. Microsoft has already issued a patch to fix the problem in all supported versions of Windows, with the updated pushed out worldwide on October 10th.
Photograph by Geralt