The WPA2 encryption security protocol that protects your Wi-Fi connection has a flaw. And it’s a flaw that could allow hackers to intercept passwords, photos, emails, credit card information and more. It could also potentially be used to inject malware onto a website you’re casually visiting.
This is a potentially catastrophic vulnerability that could adversely affect almost anyone connected to the internet. And unfortunately, there isn’t a great deal any of us can do to fix the problem. Instead, we’re reliant on the likes of Microsoft, Google, and Apple issuing fixes sooner rather than later.
KRACKing the WPA2 Security Protocol
The WPA2 vulnerability, as discovered by security researcher Mathy Vanhoef of the Katholieke Universiteit Leuven in Belgium, has been codenamed KRACK. This stands for Key Reinstallation AttaCK, so-called because the vulnerability exploits the 4-way handshake which the WPA2 protocol uses to ensure that both the client and access points have the correct credentials.
As reported by Ars Technica, in essence, KRACK allows an attacker to force the client to reuse an already-used encryption key. Any encryption can then be bypassed, allowing the attacker to intercept any traffic, including sensitive data. They could, if they wanted to, also take the opportunity to inject malware into websites.
Because this vulnerability is in the WPA2 protocol itself, pretty much every device which connects to Wi-Fi is affected. However, because of the way they deal with encryption keys, Android and Linux are even more vulnerable to KRACK. Which is worrying given the sheer popularity of Android.
After discovering this flaw in WPA2, security researchers sent out notices to specific vendors in July. And then in August a broad notification was released with a warning that the vulnerability would be publicly disclosed today (October 16). Unfortunately, that doesn’t appear to have been long enough for most vendors to fix the problem.
Fixes Are Rolling Out… Slowly
Security fixes for the WPA2 flaw are already being rolled out. Microsoft has already released an update for Windows (8 and above), and Google will be issuing a patch in the coming weeks. So all any of you can do is update your wireless routers and other devices as soon as vendors issue these updates.
Unfortunately, not all vulnerable devices will be patched, and even if a fix becomes available the onus is on individuals to install the updates. And that means there will be millions of devices vulnerable to KRACK for years to come. Perhaps it’s time for the Wi-Fi Alliance to develop WPA3…
What do you think of KRACK? And are you worried about it being exploited in the wild? Should every company whose products are affected by this release a patch as a priority? Or do you think the threat is being overstated? Please let us know in the comments below!
Image Credit: Tony Webster via Flickr