Wi-Fi encryption security took a major hit on Monday with the disclosure of a flaw that affects virtually every device that wirelessly connects to the Internet.
Wi-Fi encryption security took a major hit on Monday with the disclosure of a flaw that affects virtually every device that wirelessly connects to the Internet.
KRACK, short for Key Reinstallation AttaCK, is a weakness that was discovered in the WPA2 encryption protocol by security researcher Mathy Vanhoef. As outlined in a profile of the weakness, the main attack is against the four-way handshake of the WPA2 protocol that takes place when a client wants to join a protected Wi-Fi network. In short, it works by tricking the victim device into reinstalling a key that is already in use, thus allowing packets to be replayed, decrypted and/or forged.
According to Vanhoef, nefarious types can use the attack technique to steal sensitive information like credit card numbers and passwords as well as access e-mails, photos and chat messages. What’s more, depending on the network configuration, it may even be possible for an attacker to inject ransomware or other malware into a website or otherwise manipulate data.
Because the weakness is in the Wi-Fi standard itself and not an individual product or implementation, it’s likely that any correct implementation of WPA2 is affected. This encompasses devices associated with Apple, Android, Linux, Windows, OpenBSD, MediaTek, Linksys and others although Vanhoef says the attack is especially devastating against Linux and Android 6.0 or higher.
Before going into full-on panic mode, it’s worth nothing that an attacker needs to be within physical range of a network to carry out an attack. The bad news, of course, is that Wi-Fi is all around us so finding a network to attack could be done in seconds.
Although information on the attack is just now going public, details of it were first submitted for review in mid-May. This has given vendors like Apple, Cisco, Google, Intel and Microsoft some time to investigate the matter and, in some instances, already have patches available.
Speaking of, ZDNet has a running list of who’s on top of their game in this respect.
