Early this morning, researchers announced a major Wi-Fi exploit found within the WPA2 security protocol (the same protocol to password-protect your Wi-Fi network) that can be used by hackers to steal personal information like passwords, banking logins, and email addresses. The exploit, known as KRACK (Key Reinstallation Attacks), can even inject malware into a website you’re currently viewing and take advantage of your computer. This research was kept under wraps until today and was originally noted by Ars Technica.
Obviously, such a major vulnerability would put anyone on high alert (I literally ran around my office updating my entire staffs’ collection of computers and devices), so here’s what you need to know about the exploit and whether you should worry about it further into the future.
It affects nearly every Wi-Fi-enabled device
According to www.krackattacks.com, this KRACK exploit affects nearly every device with Wi-Fi. This includes those powered by Android, iOS, macOS, and Windows. MediaTek and Linksys devices were also discovered to be vulnerable. The researchers explain why this is so below.
The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected. To prevent the attack, users must update affected products as soon as security updates become available. Note that if your device supports Wi-Fi, it is most likely affected. During our initial research, we discovered ourselves that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others, are all affected by some variant of the attacks. For more information about specific products, consult the database of CERT/CC, or contact your vendor.
Android and Linux are especially vulnerable
For specific reasons, Android and Linux are especially vulnerable to this exploit as the researchers explain below.
As a proof-of-concept we executed a key reinstallation attack against an Android smartphone. In this demonstration, the attacker is able to decrypt all data that the victim transmits. For an attacker this is easy to accomplish, because our key reinstallation attack is exceptionally devastating against Linux and Android 6.0 or higher. This is because Android and Linux can be tricked into (re)installing an all-zero encryption key (see below for more info). When attacking other devices, it is harder to decrypt all packets, although a large number of packets can nevertheless be decrypted. In any case, the following demonstration highlights the type of information that an attacker can obtain when performing key reinstallation attacks against protected Wi-Fi networks:
Our attack is not limited to recovering login credentials (i.e. e-mail addresses and passwords). In general, any data or information that the victim transmits can be decrypted. Additionally, depending on the device being used and the network setup, it is also possible to decrypt data sent towards the victim (e.g. the content of a website). Although websites or apps may use HTTPS as an additional layer of protection, we warn that this extra protection can (still) be bypassed in a worrying number of situations. For example, HTTPS was previously bypassed in non-browser software, in Apple’s iOS and OS X, in Android apps, in Android apps again, in banking apps, and even in VPN apps.
It’s not just WPA2
Not only is the WPA2 protocol exploited, but so is WPA1 and WEP which are especially vulnerable. However, since most users utilize WPA2 for their Wi-Fi, this protocol is at the forefront of this exploit and is in much more dire need of being patched.
Manufacturers are patching and patching and patching
Speaking of which, some companies have already announced they’re patching their devices to make a lot less people vulnerable to this security hole. Microsoft told The Verge that Windows 10, 8.1, 8, and 7 are all getting a special security update today that resolves the issue, while Apple’s latest iOS, macOS, watchOS, and tvOS betas all include the same patch (via 9to5Mac). As for Android, Google says next month’s security patch will include the fix, but it seems this can’t come soon enough. We suspect more companies to begin resolving this issue in the very near future.
While the exploit is still on many devices around the world, the researchers say it hasn’t been utilized by hackers as of yet. At the current rate OEMs are at patching their devices, it looks like this worry will never come to pass. Of course, it may if you don’t update your device’s firmware, your router’s firmware, your PC’s firmware, or your gaming console’s firmware as soon new patchers are available for it. But at least for now, you can rest easy knowing things are being taken care of.