Severe WiFi security flaw puts millions of devices at risk

The vulnerability, Vanhoef says, "can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on".

This client-based attack uses a flaw in the "handshake" component of the WPA protocol that negotiates and confirms the validity of encryption keys between client and wireless network devices. However, all Wi-Fi devices still seem vulnerable to some variant of the weakness that make them ready for data theft from any malevolent attacker within the range.

As scary as this attack sounds, there are several mitigating factors at work here. Researcher Mathy Vanhoef of the University of Leuven in Belgium found a way to install a new "key" used to encrypt the communications onto the network, allowing a hacker to gain access to the data.

Because of the wide use of WPA2 security on just about every home and business network device all over the world, this creates a real security headache for everyone.

In the meantime, avoid connecting to public Wi-Fi networks. While we can't know yet if hackers have actually taken advantage of the vulnerability, its existence puts every Wi-Fi-enabled device at risk. "Together with other researchers, we hope to organize workshop (s) to improve and verify the correctness of security protocol implementations".

The only way to safeguard from KRACK is to update the affected products as soon as upgrades become available.

The group says the problem can be resolved through straightforward software updates. "We continue to encourage customers to turn on automatic updates to help ensure they are protected", the company rep stated. Also, MAC addresses can be spoofed fairly easily.

On the other hand, Engadget also revealed that Apple Inc. also came up with a fix to prevent the possible KRACK attacks in the latest beta versions of their operating systems, including macOS, iOS, tvOS, and watchOS.

For users, the best they can do for the moment is to wait for the router manufacturers and ISPs to come up with an effective patch in the form of firmware updates to remedy the situation.

Technology giants such as Apple, Google and Microsoft are all susceptible to some version of the vulnerability.

Did Microsoft do the right thing quietly patching the update or is full disclosure the only way to go? Failing to do so with a wireless access point, for example can quickly leave you with an expensive, oversized paperweight.

This padlock will appear on all HTTPS sites.

For those interested in a deeper dive on the technical details of this attack, check out the paper (PDF) released by the researchers who discovered the bug.

Related News: