Security researchers have discovered weaknesses in the WPA2 (Wi-Fi Protected Access II), the security protocol for most modern Wi-Fi networks. An attacker within the range of victim can interrupt credit card numbers, passwords, photos, and other sensible information using the bug called KRACK (Key Reinstallation Attacks).
What this means is that the security built into Wi-Fi is likely ineffective, and we should not assume it provides any security. If the security problem which researchers have discovered is true, then it will be very difficult to fix it. Because the WPA2 is built into almost every internet connected device.
During the initial research, it was found that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others are all affected by some variant of attacks. The attacks against Linux and Android 6.0 or higher devices could be devastating because these devices can be tricked into (re)installing an all-zero encryption key. Currently 41% of Android devices are vulnerable to this attack.
It is also possible that attackers can inject and manipulate data depending on the network configuration, such as ransomware or other malware data into websites.
US Homeland Security’s cyber-emergency unit US-CERT confirmed the news of vulnerability on Monday and described the research this way- “US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol. The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others. Note that as protocol-level issues, most or all correct implementations of the standard will be affected. The CERT/CC and the reporting researcher KU Leuven, will be publicly disclosing these vulnerabilities on 16 October 2017.”
Most of the protected Wi-Fi networks including personal and enterprise WPA2 networks are affected by the KRACK and are at risk of attack. All the clients and access points that were examined by researchers were vulnerable to some variant of the attack. The vulnerabilities are indexed as: CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088.
“The weakness lies in the protocol’s four-way handshake, which securely allows new devices with a pre-shared password to join the network. If your device supports Wi-Fi, it is most likely affected,” said Mathy Vanhoef, a computer security academic, who found the flaw.
Changing the passwords is not going to work even if you set a strong one. So, update all your devices and operating systems to the latest versions. As of now, users can protect themselves by sticking with sites that have HTTPS security, and keeping the Wi-Fi off. Since the security issue is related to Wi-Fi, the attacker has to be within a range, and the odds of widespread attacks are apparently low.
The warning came at Black Hat security conference, and is scheduled to be formally presented on November 1 at ACM Conference on Computer and Communications Security (CCS) in Dallas.