October 18, 2017
According to researchers, the WPA2 protocol for Wi-Fi connectivity contains a significant weakness that makes it vulnerable to attackers. A hacker within range of connected devices would reportedly be able to exploit this weakness to hijack passwords, emails and other “encrypted” data, or even place ransomware into a website the user is visiting. The research, which has been ongoing for weeks, reveals that the WPA2 core vulnerability could affect operating systems and devices including Android, Linux, OpenBSD, MediaTek, Linksys, macOS and Windows.
Ars Technica reports that, according to Katholieke Universiteit Leuven researcher Mathy Vanhoef in Belgium, “This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on,” and that “the attack works against all modern protected Wi-Fi networks.”
“The attack works by forcing the phone into reinstalling an all-zero encryption key, rather than the real key,” and is “particularly effective” on Linux platforms. HTTPS-protected web pages aren’t safe either, since “many improperly configured sites can be forced into dropping encrypted HTTPS traffic and instead transmitting unencrypted HTTP data.”
Although Windows and iOS are not “vulnerable to the most severe attacks, Linux and Android appear to be more susceptible because attackers can force network decryption on clients in seconds with little effort.” The threat is believed to be greatest for large corporate and government Wi-Fi networks, “particularly if they accept connections from Linux and Android devices.”
Linux patches have been created, “but it’s not immediately clear when they will become available for various distributions and for Android users.” “Patches are also available for some but not all Wi-Fi access points.” More information on the WPA2 vulnerabilities will be made through the KRACK (Key Reinstallation Attacks) site.
Users that install the Windows patch, which was issued October 10, “should also install new Wi-Fi device drivers if available,” to be fully protected, and those “with vulnerable access points and clients should avoid using Wi-Fi until patches are available and instead use wired connections,” and “consider using a virtual private network as an added safety measure.”
The Wall Street Journal reports that Apple and Google say they plan to “roll out patches for affected devices within the coming weeks.” The Wi-Fi Alliance, which says WPA2 has been included in all Wi-Fi devices since 2006, reports that, as of now, “there is no evidence of hackers exploiting the attack.” Open Crypto Audit Project co-director Kenneth White says, “it will likely be months before code leveraging the attack will be public.”
In addition to corporate networks, older Android phones that don’t receive security updates are also at risk of attack.