A New Severe Security Flaw Could Leave Your Wi-Fi Open To SnoopingGet the Full StoryYou ve set up a closed Wi-Fi network at home and use the same thing at the office, and it s secured through the WPA2 standard the ubiquitous security protocol for Wi-Fi, widely established as superior to WEP. Think you re safe? As of today, you should think again. This morning, security researchers revealed a new kind of attack on the popular Wi-Fi protocol that allows bad actors to potentially eavesdrop on your Wi-Fi traffic and intercept sensitive data passing through the network whether that s passwords, emails, chat messages, photos, or credit card information.The exploit, disclosed by security researcher Mathy Vanhoef at KU Leuven, a Belgian university, is called KRACK short for Key Reinstallation Attacks. Vanhoef says that the vulnerability affects the WPA2 standard itself and can potentially be exploited on devices running Android, Apple, Windows, Linux, and OpenBSD operating systems, plus Linksys routers, Internet of Things devices, and other wireless devices using MediaTek chips. The attack works against all modern protected Wi-Fi networks, Vanhoef warned.Microsoft said it had already released a software patch for this vulnerability. Microsoft released security updates on October 10th and customers who have Windows Update enabled and applied the security updates, are protected automatically, a company spokesperson told BuzzFeed News. Apple confirmed it has a fix in public beta for its Apple Watch and Apple TV operating systems, and a fix in developer beta for Mac OS and iOS. It will be officially rolling out the patch in a software update in a couple of weeks. Google did not respond to a request for comment.
But while Vanhoef presented proof-of-concept that the attack can work, you don t necessarily need to panic yet. There is no immediate risk, and certainly not to the overwhelming majority of people, Kenneth White, a Washington, DC based security consultant to federal agencies, who was briefed on Vanhoef s research, told BuzzFeed News. No exploit code has been released. Additionally, White noted, someone would have to be somewhat physically nearby the network to launch the attack.Basically, White recommended, the security-conscientious should do what they always do every time a new vulnerability is discovered: update, update, update. Major wireless vendors will likely issue software patches for the vulnerable devices, White said. Over-the-air updates to phones and devices will help reduce the threat of the most trivial attacks, he said.Meanwhile, the Wi-Fi Alliance said that major platform providers had already started pushing out patches for the WPA2 vulnerability. There is no evidence that the vulnerability has been exploited maliciously, and Wi-Fi Alliance has taken immediate steps to ensure users can continue to count on Wi-Fi to deliver strong security protections, the group said in a statement. Wi-Fi Alliance now requires testing for this vulnerability within our global certification lab network and has provided a vulnerability detection tool for use by any Wi-Fi Alliance member. Still, it isn t clear how long it will take for the affected devices to be patched or whether some Wi-Fi devices can be patched at all. In particular, White said, owners of older Android phones running version 6.0 of the operating system should make sure they update because their devices are extra vulnerable. Vanhoef called the attack exceptionally devastating to such devices in his research paper. About a third of Android phones in circulation are known to be vulnerable, according to the most recent Android developer data. But even more at risk are the millions of vulnerable Internet of Things wireless devices that consumers own, many of which don t have the ability to get software updates over a wireless network.One vulnerability at issue, according to Vanhoef s research, is the random number generation in group keys encryption keys shared on WPA and WPA2 wireless networks. The security of such keys relies on how random those numbers are, but Vanhoef s findings suggest they may not be random enough to the point that predicting them may be possible. By inundating a wireless network with authentication handshakes, Vanhoef s research shows it s possible to figure out a 128-bit WPA2 key, through sheer volume of random number collection. Then that key can be used in a certain way on the network so that it subverts the encryption in place, giving the attacker access to all the data passing through the network.And on older Android phones, the attack is much simpler, White said: By repeatedly replaying one of the messages in the Wi-Fi handshake, the attacker can force a special code called a nonce to be reused. Once that s done, it is possible to decrypt network packets. On Android, a common piece of Linux code is used so that decryption is much easier to accomplish, White explained it can take just seconds to do.The findings of the research will be discussed in a talk at the ACM Conference on Computer and Communications Security in Dallas on Nov. 1, while related research was presented last August at the Black Hat Security Conference in Las Vegas. By then, hopefully, most vendors will have already issued a software update addressing the attack. But whether most people actually make the effort to update their wireless devices or whether they re even able to update them in the first place remains the perennial security issue.