A newly discovered Wi-Fi vulnerability poses actual security risks, with potential attackers able to get customers’ internet traffic and intercept sensitive information.
Earlier this week, researchers unveiled details of the “KRACK” exploit which takes advantage of vulnerabilities in the WPA2 Wi-Fi security protocol to permit attackers to intercept and modify wireless traffic between computers and wireless access points, like routers.
The vulnerability was discovered by Mathy Vanhoef, that a postdoctoral researcher at KU Leuven University in Belgium, who published details of the exploit in a newspaper titled”Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2″.
On his website, KrackAttacks, Vanhoef warns:
“The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected. To prevent the attack, users must update affected products as soon as security updates become available. Note that if your device supports Wi-Fi, it is most likely affected. During our initial research, we discovered ourselves that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others, are all affected by some variant of the attacks.”
The US Computer Emergency Readiness Team (US-CERT) explains the scope of the difficulty:
“US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol. The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others. Note that as protocol-level issues, most or all correct implementations of the standard will be affected.”
All Wi-Fi devices are to a level susceptible to the vulnerabilities making them ripe for information theft or ransomware code injection from any malicious hacker near, however Vanhoef states the main worry right now is Android, with a few producers and networks quite slow to issue security upgrades. Microsoft has issued a patch to fix the difficulty in all supported versions of Windows, with the upgraded pushed out worldwide October 10th.