Massive Flaw in Wi-Fi Security Found

Image iStock

Image iStock

The problem is made worse by Android and Linux, which don't force the client to demand a dedicated certificate.

Despite the severity of the flaw, it is rather hard to implement. It's also very important to know that the hack can affect all protected Wi-fi networks. The attack does not work over the internet.

WPA2 is the highest level of Wi-Fi security available now and other options, which you might be able to find in your smartphone settings such as WPA1 and WEP, are even less secure.

Furthermore, this is primarily an attack against clients; devices connected to a network, not routers.

Various vendors were notified about the problem as early as July, so we might expect updates for end-user devices, if not networking hardware.

"One of the biggest concerns here of course is getting routers patched- firstly getting the average user to check and apply any firmware updates and secondly, some older routers may not even have a patch available- the average household would acquire an auto-configured router, install it and forget about it, until possibly they change their internet provider". He's put up a website detailing the flaw in relatively easy-to-understand terms, as well as a research paper that's not so easy to grasp. Of note, the researcher emphasizes that the KRACK attack methods do not actually reveal the password of a WPA2 protected WiFi network.

"The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations", Vanhoef wrote.

Alan Woodward, a computer science professor at Britain's University of Surrey, says "the heart of the WPA2 flaw" involves an attack against WPA2's four-way handshake. Rather, it's in the implementation. This happens through an error in the handshake inbetween the devices and the Wi-Fi router. That key is unique to that connection, and that device.

Las Vegas shooting victim wakes up from coma, takes first steps
The GoFundMe account set up for Frost with a goal of raising $50,000 has surpassed $500,000 in contributions. Because Frost's skull shattered when she was shot, her brain had room to swell.

You can stop using Wi-Fi until your routers are fixed, and switch to Ethernet instead.

WPA2 - the encryption standard that secures all modern wifi networks - has been cracked.

"When the client now receives a retransmitted message 3 of the 4-way handshake, it will reinstall the now-cleared encryption key, effectively installing an all-zero key". In a test run demonstrated on video, researchers were able to attack an Android device, exposing all of the victim's transmitted data. In such cases, the encryption between the router and client device will be completely broken. Also, make sure use HTTPS when browsing the web and other security protocols to encrypt all your traffic.

This hack can't steal your banking information or Google password (or any data on a correctly secured connection that uses end-to-end encryption).

On a website dedicated to the vulnerability, Mr Vanhoef issued a plea to tech companies to issue security patches to protect devices against the vulnerability immediately.

Of note, this attack does not allow attackers to recover the network password.

Vanhoef said that by manipulating and replaying these cryptographic handshake messages, a hacker could trick a device into reinstalling an already-in-use key, giving the attacker visibility of any transmitted data. Vanhoef noted that Windows and iOS are less affected because they do not accept one-time keys that have been sent a couple of times.

See also: Time to review your economy class Wi-Fi? Android version 6.0 and newer devices are more vulnerable, because of an secondary bug in the operating system.

Latest News