A WPA2 security flaw known as KRACK breaks down the common security protocol, leaving nearly every Wi-Fi-connected device at risk for data theft or hacking.
Nearly all modern, protected Wi-Fi networks and the devices connected to them are now at risk of spying or malicious cyberattacks, thanks to a recently-discovered flaw in the WPA2 security protocol.
The flaw is referred to as KRACK, which stands for key reinstallation attack. It was originally detailed in a paper published by Mathy Vanhoef, a security expert at the Belgian university KU Leuven, and on this website.
Because most modern networks use a form of WPA2 security, they are all at risk, the paper said. Additionally, "if your device supports Wi-Fi, it is most likely affected," Vanhoef wrote. And it's not just snooping that is at risk here—this flaw can also be used to inject ransomware and other forms of malware onto websites, the KRACK site noted.
SEE: Network security policy template (Tech Pro Research)
The flaw itself exploits the four-way handshake procedure that is used to connect users to a Wi-Fi network. The handshake essentially determines that a device and access point have access to the same credentials, the website said, and creates an encryption key for all the traffic that will happen between them.
However, with the KRACK attack, a user can be tricked into installing an already-used key with its parameters reset. Because of this, attackers can intercept and decrypt client packets, potentially gaining access to sensitive information in the process.
According to the site, the following identifiers have been assigned to KRACL:
While nearly every connected device is at risk, a certain vulnerability in a Wi-Fi client commonly used on Linux makes it especially devastating to certain Android and Linux devices. Some 41% of Android devices, including those running Android 6.0 and above, have this vulnerability, that makes it "trivial to intercept and manipulate traffic sent by these Linux and Android devices," the website said.
Additionally, internet of things (IoT) devices could be hit very hard by KRACK attacks as well, Luta Security founder Katie Moussouris tweeted.
According to the KRACK website, the researchers began notifying affected vendors on July 14, 2017. They then reached out to the US Department of Homeland Security's cyber-emergency unit US-CERT, which later sent out a notification to vendors on August 28, 2017.
While there haven't necessarily been any examples of this type of attack in the wild, users should still remain cautious as many devices have likely not yet been patched. For extremely sensitive data, consider forgoing Wi-Fi if at all possible. However, if you must use Wi-Fi, WPA2 is still preferable over WEP, the website noted.
Update: Security professionals are reminding enterprises that the vulnerability is patchable, and there is currently no publicly-available code to attack this flaw. In a statement to the Verge, Microsoft said that it has already issued a patch for the KRACK vulnerability, and Google has promised a patch in the coming weeks. A Linux patch is also available and a host of other organizations have issued patches as well.
The 3 big takeaways for TechRepublic readers
- KRACK, a new key reinstallation attack, puts nearly every Wi-Fi device at risk of eavesdropping on its network traffic, according to researchers.
- The flaw tricks users into installing an already used security key, which can enable attackers to intercept and decrypt client packets, potentially stealing information.
- Android devices and IoT devices will be especially hard hit, but all devices on modern Wi-Fi networks will be at risk to some degree, researchers said.
- How to build a successful career in cybersecurity (free PDF) (TechRepublic)
- WPA2 security flaw puts almost every Wi-Fi device at risk of hijack, eavesdropping (ZDNet)
- Complete WiFi and Network Ethical Hacking Course 2017 (TechRepublic Academy)
- Hackers are using hotel Wi-Fi to spy on guests, steal data (ZDNet)
- Critical Bluetooth flaw could put nearly every connected device at risk of cyberattack (TechRepublic)