Researchers unveiled a newly discovered security flaw allowing hackers to eavesdrop on Wi-Fi traffic sent between access points and devices.
Though “all modern” access points and devices are said to be impacted, devices running Android 6.0 or higher are reported to be particularly vulnerable.
The exploit, known as key reinstallation attacks (KRACKs), was disclosed Monday (16 October) in coordinated releases from the United States Computer Emergency Readiness Team (US CERT) and researchers from University of Leuven (KU Leuven) in Belgium. Mathy Vanhoef of the imec-DistriNet research group of KU Leuven is named as the one who discovered the flaw.
According to researchers, a weakness in Wi-Fi’s WPA2 security protocol allows hackers to carry out KRACKs. US CERT said these attacks may include “arbitrary packet decryption and injection, TCP connection hijacking, HTTP content injection, or the replay of unicast and group-addressed frames”. In other words, malicious actors can read encrypted information and steal sensitive data including credit card numbers, passwords, emails and messages, among other things. Depending on a user’s network setup, hackers can also carry out other attacks by inserting malware to websites a user is visiting.
What devices are impacted?
The flaw is said to be present in the WPA2 Wi-Fi standard itself rather than in individual devices, meaning the scale of this vulnerability is massive.
“The attack works against all modern protected Wi-Fi networks,” the Leuven researchers wrote in a case study: “If your device supports Wi-Fi, it is most likely affected.”
Researchers indicated devices operating on Android, Linux, Apple, Windows, OpenBSD, MediaTek and Linksys could all be accessed through this flaw. However, Android and Linux were particularly vulnerable since those systems can be “tricked” into using an all-zero encryption key instead of a real key. Approximately 41 per cent of Android devices – including devices running Android 6.0 or higher – are susceptible to this more aggressive attack, researchers said.
Websites and apps using HTTPS for additional security are also at risk. Researchers said they were able to bypass the added layer of protection in Apple’s iOS, Android and banking apps, as well as VPN apps.
How to fix it
In a statement, the Wi-Fi Alliance said the issue can be eliminated through software updates and noted a number of major companies including Aruba Networks, Cisco, Juniper Networks, Intel, Samsung and Toshiba have already begun deploying patches. Wi-Fi Alliance also said it is sharing information on the vulnerability with vendors, and now requires testing for the flaw in its certification lab.
Vanhoef said users should move to make sure all of their devices are updated as soon as possible. Necessary updates extend to the firmware of a user’s router, but users don’t necessarily have to change their Wi-Fi password, he said.