Bad news for anyone who uses Wi-Fi. A Belgian researcher has discovered a vulnerability that will allow hackers to see and steal just about any data on any device connected to Wi-Fi. They can plant things on your devices, too, like ransomware. So what can be done to stop this new menace? Not much, yet.
[Scroll Down for Video]
First, we’ll detail the problem. Mathy Vanhoef, from Belgian university KU Leuven, named the new issue KRACK: Key Reinstallation Attack. “This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. The attack works against all modern protected Wi-Fi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites.”
As Forbes reports, “It affects a core encryption protocol, Wi-Fi Protected Access 2 (WPA2), relied on by most Wi-Fi users to keep their web use hidden and secret from others. More specifically, the KRACK attack sees a hacker trick a victim into reinstalling an already-in-use key. Every key should be unique and not re-usable, but a flaw in WPA2 means a hacker can tweak and replay the “handshakes” carried out between Wi-Fi routers and devices connecting to them; during those handshakes, encryption keys made up of algorithmically-generated, one-time-use random numbers are created. It turns out that in WPA2, it’s possible for an attacker to manipulate the handshakes so that the keys can be reused and messages silently intercepted.”
The video below suggests Android and Linux users are most at risk.
“The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected. To prevent the attack, users must update affected products as soon as security updates become available. Note that if your device supports Wi-Fi, it is most likely affected. During our initial research, we discovered ourselves that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others are all affected by some variant of the attacks,” Vanhoef noted.
“What to do?” Forbes asks. Their answer may not be practical. Stop using Wi-Fi. Everything that uses Wi-Fi will need updated security protocols. That includes watches, phones, laptops, computers, tablets, even routers.
Forbes does point to one bright spot. As of now, officials don’t think it is possible for hackers to exploit these holes remotely. They need to be in physical proximity to the Wi-Fi network.
Forbes offers some practical advice to help cover your assets until the patches come. “For those users whose routers, PCs and smartphones don’t yet have updates, there are some measures they can take to protect their online privacy. A Virtual Private Network (VPN) software could protect them, as it will encrypt all traffic. Only using HTTPS encrypted websites should also benefit the user, though there are exploits that can remove those protections. Changing the Wi-Fi password won’t prevent attacks, but it’s advisable once the router has been updated.”
Companies who rely on this software are currently working on a fix.