Nearly everyone using Wi-Fi is being urged to patch their devices as a new widespread vulnerability to virtually all modern protected Wi-Fi networks leaves a huge swath of internet traffic potentially open for eavesdropping.
The vulnerability known as KRACK, short for Key Reinstallation Attack, allows data previously believed to be safely encrypted to be read and manipulated. Importantly, KRACK requires an attacker to be within Wi-Fi range in order to exploit the weakness in WPA2, the 13-year-old protocol securing virtually all modern Wi-Fi networks.
“This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on,” researcher Mathy Vanhoef from the Belgian university KU Leuven explained. “The attack works against all modern protected Wi-Fi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites.”
It’s not clear if the attack has ever been used in the wild or how easy it is to execute. The researcher urges everyone to make sure all devices are up to date and to update the firmware of routers if an update is available.
Vanhoef uploaded a proof-of-concept video to YouTube:
There is also an academic paper diving deep into the weakness.
The WPA2 protocol, called “ubiquitous in wireless networking” by U.S. CERT, is so deeply embedded in worldwide Wi-Fi networks that any correct implementation is likely vulnerable.
“Users are encouraged to install updates to affected products and hosts as they are available,” CERT warned.
The advice is normal: Patch. But the actual patches will take time to reach the vast number of devices impacted by the weakness, leaving some number of users vulnerable to attack until (and if) a fix reaches them.
“Notably, our attack is exceptionally devastating against Android 6.0,” Vanhoef explained. “It forces the client into using a predictable all-zero encryption key.”
Vanhoef promises follow-up work on how to execute KRACK attacks more easily and against a wider variety of targets to prove, in his words, that the vulnerability can be “abused be in practice.”