Severe WiFi security flaw puts millions of devices at risk

In an attack, which is threatening to become bigger, researchers found high-severity vulnerabilities in WPA2 (Wi-Fi Protected Access II), a popular security protocol used by almost every router on the planet.

Reusing or recycling a nonce allows the attacker to decrypt and forge packets of information within the traffic stream, exposing user activity and data. That includes Wi-Fi enabled devices such as Apple computers, iOS devices, Windows computers, and more. "As a result, now 31.2 percent of Android devices are vulnerable to this exceptionally devastating variant of our attack".

A new vulnerability in the Wi-Fi Protected Access II (WPA2) protocol has been detailed.

A newly-discovered security flaw affects virtually every Wi-Fi device, and could render your home network as readable to hackers as the free Wi-Fi at a coffee shop. Due to a flaw in the design of the protocol itself-not a specific vendor implementation-attackers can capture part of the handshake message, and use modified versions of that to trick devices into installing a blank encryption key, a process called "key reinstallation attacks", or KRACKs by Vanhoef.

The so-called "Krack" attack has been described as a "fundamental flaw" in wireless security techniques by experts.

This comes right after US-CERT (United States Computer Emergency Readiness Team) issued a warning in the response to the exploit.

"Cisco is aware of the industry-wide vulnerabilities affecting Wi-Fi Protected Access protocol standards", a Cisco spokesperson told ZDNet.

On top of that there's now no known public attack code available to exploit the vulnerabilities, although that will no doubt change, and any hacker would need to be both very skilled and also situated in close proximity to your network kit in order to conduct the attack.

Wi-Fi networks typically use shared keys (usually based on AES encryption) to protect network traffic. "For example, an attacker might be able to inject ransomware or other malware into websites".

Many operating systems and applications (including web browsers) use additional security methods to prevent eavesdropping, but while sensitive data like credit card information might be hard for eavesdropping hackers to extract, it wouldn't be impossible. According to The Verge, Microsoft has already released a fix for customers using Windows devices.

"One of the biggest concerns here of course is getting routers patched- firstly getting the average user to check and apply any firmware updates and secondly, some older routers may not even have a patch available- the average household would acquire an auto-configured router, install it and forget about it, until possibly they change their internet provider".

This is probably overkill, especially if you follow the other three steps listed above.

This avoids using the PSK directly in encrypting wireless data, and ensures a unique key for each session.

Devices such as laptops and smartphones will need to be updated as well as routers, and Vanhoef recommends users get in touch with the relevant companies to keep an eye on delivery of patches.

  • Joey Payne