The vulnerability in the WPA2 security protocol leaves virtually everyone who connects to the internet via Wi-Fi at risk of devastating attacks that can reveal everything you do online as well as your most sensitive personal information.
Attackers in range of your devices can use Key Reinstallation Attacks, or KRACKs, to steal your credit card numbers, passwords, chat messages, emails, photos, and other personal information previously thought to be safely encrypted. The vulnerability also lets attackers inject and manipulate data by adding ransomware or malware onto a website. The flaws were found in the protocols that secure all modern WiFi networks, which means it doesn’t only impact specific products, but every device capable of connecting to WiFi.
“The attack works against all modern protected Wi-Fi networks,” Mathy Vanhoef, one of the TKU Leuven University researchers who discovered the WPA2 vulnerability, wrote.
The attack can break into a network by exploiting a four-way “handshake” that’s used to create a key for encrypting traffic. Researchers found that an attacker can force key resets by collecting and replaying transmissions of the third handshake, effectively breaking down the encryption protocol. This is the first attack on the Wi-Fi protocol that doesn’t involve password guessing. It’s important to note that while the attack allows hackers to eavesdrop on traffic flowing from your router, it can’t be used to take over the device.
Variants of the attack affect Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and other companies who sell internet-connected products. The security researchers who found the flaw say devices running unpatched versions of Android and Linux are vulnerable to a particularly “catastrophic” attack.
Several companies have already issued patches that fix the Wi-Fi vulnerability.
Microsoft told Forbes that all users who manually apply the latest update or have automatic updates enabled are protected.
Apple has not commented on whether its latest versions of macOS and iOS are vulnerable.
Google promised a fix for its devices “in the coming weeks.” Until then, we recommend you avoid connecting to public Wi-Fi.
Vanhoef posted a proof-of-concept video demonstrating how KRACK can be used to infiltrate an Android smartphone.
All data transmitted from 41 percent of existing Android devices via Wi-Fi can be decrypted, even if a website uses HTTPS protocol for an additional layer of protection.
The best way to protect yourself against this widespread vulnerability is to update all of your devices when a solution becomes available. That includes your gadgets and Wi-Fi access points. The Wi-Fi Alliance, a governing body that sets the standards for WiFi, will work with device vendors to make sure they update their products with the latest software. A broad notification to vendors of affected devices was sent out on August 28.
It’s not clear if the WiFi flaw is actively being exploited in the wild.
The United States Computer Emergency Readiness Team published a statement following the disclosure of the exploit.
US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol. The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others. Note that as protocol-level issues, most or all correct implementations of the standard will be affected. The CERT/CC and the reporting researcher KU Leuven, will be publicly disclosing these vulnerabilities on 16 October 2017.
H/T Ars Technica