A researcher has discovered a security flaw in the WPA2 Wi-Fi protocol, putting most modern, protected Wi-Fi networks at risk. According to the research, which was published earlier today, this can be used to steal sensitive information like “credit card numbers, passwords, chat messages, emails, photos,” and more.
The attack is known as KRACK — after “key reinstallation attacks” — and it exploits the “four-way handshake” protocol used by WPA2 as a means of secure authentication. Because KRACK relates to the WPA2 Wi-Fi standard itself, rather than individual devices that use it, its impact could be significantly widespread.
The researcher, Mathy Vanhoef of imec-DistriNet, KU Leuvene, states that “if your device supports Wi-Fi, it is most likely affected,” and also notes that 41 percent of all Android devices are vulnerable to the “exceptionally devastating” variant of the Wi-Fi attack.It’s devices running Android 6.0 or higher that are susceptible, apparently, though that would make the figure more like 50 percent of Android devices (presumably, the number was taken from the Android platform dashboard before October’s numbers arrived).
Alongside the information, which you can read more about over at www.krackattacks.com, Vanhoef made a proof-of-concept video to show how the exploit works. Check it out below:
Responding to the issue, the United States Computer Emergency Readiness Team (CERT) provided the following statement (via Ars Technica).
US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol. The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others. Note that as protocol-level issues, most or all correct implementations of the standard will be affected. The CERT/CC and the reporting researcher KU Leuven, will be publicly disclosing these vulnerabilities on 16 October 2017.
As for what you can do to protect yourself, Vanhoef said that changing the password of your Wi-Fi network won’t help to prevent an attack through this method, but you should make sure “all your devices are updated,” including updating the firmware of your router.
Vanhoef intends to present their paper on the matter at the Computer and Communications Security (CCS) conference on Wednesday, November 1, 2017. It isn’t yet clear if hackers or scammers are actively making use of the KRACK exploit.