A fundamental flaw has been discovered in the security layer that protects Wi-Fi networks.
As a result, it is possible for hackers to intercept information you transmit over a Wi-Fi connection.
This vulnerability in the security layer known as Wi-Fi protected access II, or WPA2, was discovered by Mathy Vanhoef, a researcher at Belgian university KU Leuven. He explains on his website devoted to the issue:
“This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. The attack works against all modern protected Wi-Fi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites.”
The CERT Division of the Software Engineering Institute at Carnegie Mellon University — which is sponsored by the U.S. Department of Homeland Security — also issued a notice about the WPA2 vulnerability Monday.
How hackers can exploit devices
Attackers could exploit the WPA2 weakness using what’s known as a key reinstallation attack, or KRACK, if they are within range of your Wi-Fi network.
As Alan Woodward, a professor in the Department of Computer Science at England’s University of Surrey, explains it to the BBC:
“When any device uses Wi-Fi to connect to, say, a router it does what is known as a ‘handshake’: It goes through a four-step dialogue, whereby the two devices agree [on] a key to use to secure the data being passed (a “session key”). This attack begins by tricking a victim into reinstalling the live key by replaying a modified version of the original handshake. In doing this a number of important set-up values can be reset, which can, for example, render certain elements of the encryption much weaker.”
Vanhoef notes that all modern protected Wi-Fi networks use this four-way handshake. So, any device that supports a Wi-Fi connection is most likely affected by this vulnerability. For example, his research found that Android, Apple, Linux and Windows devices, among others, are at risk.
What you should know and do about the WPA2 weakness
The security flaws Vanhoef discovered are in the WPA2 standard itself rather than individual products. That is why any Wi-Fi-enabled device is most likely impacted. It is also why experts, including Vanhoef and CERT, are urging folks to update their devices with the latest available security patches. That includes laptops and smartphones as well as routers. CERT’s note says:
The WPA2 protocol is ubiquitous in wireless networking. Users are encouraged to install updates to affected products and hosts as they are available. For information about a specific vendor or product, check the Vendor Information section of this document or contact the vendor directly.
A spokesperson for Google, which developed the Android operating system, told Forbes, “We’re aware of the issue, and we will be patching any affected devices in the coming weeks.”
The Wi-Fi Alliance, which represents the Wi-Fi industry, also notes that “there is no evidence that the vulnerability has been exploited maliciously.”
What’s your take on this news? Sound off below or over on our Facebook page.