- A major security flaw has been found in a protocol that protects modern wi-fi.
- If your phone or computer is wi-fi enabled then it’s probably at risk, researchers say.
- Any attacker needs to be on the same wi-fi network as you to target you.
Researchers have discovered a massive security flaw in the security used to protect wi-fi networks — potentially allowing them to steal credit card details, private messages, photos, and more.
The vulnerability affects all major modern devices and operating systems, including Android, Apple, Windows, Linux, and more.
“The attack works against all modern protected wi-fi networks,” researcher Mathy Vanhoef wrote on a website outlining his findings.
“If your device supports wi-fi, it is most likely affected.”
The weakness was found in the security protocol WPA2, and is being referred to as a KRACK attack, referring to the “key reinstallation attack” that was used. In short, it allows an attacker to intercept and read sensitive data being transferred over the network.
This is, security professionals agree, a very serious vulnerability — one that affects devices on a massive scale.
Any attacker needs to be physically on the same wi-fi network as you
There are some mitigating factors, as Iron Group CTO Alex Hudson pointed out in a blog post.
For starters, any attacker exploiting the vulnerability needs to physically be on the same wi-fi network as you. “So, you’re not suddenly vulnerable to everyone on the internet,” he wrote. “It’s very weak protection, but this is important when reviewing your threat level.”
And secondly, if websites often use an additional level of encryption — HTTPS — that hasn’t been compromised. So if your bank uses it to secure your financial data, for example, an attacker wouldn’t be able to grab it.
Still, Hudson cautioned: “There are plenty of nasty attacks people will be able to do this. They may be able to disrupt existing communications. They may be able to pretend to be other nodes on the network. This could be really bad … they can definitely pretend to be non-secure resources.
“Almost certainly there are other problems that will come up, especially privacy issues with cheaper internet-enabled devices that have poor security.”
The vulnerability is patchable — but it’s still a big problem
Android is particularly at risk from the vulnerability, Vanhoef wrote. But this isn’t insurmountable. Fixes can be developed for the problem — but in practice, these will take time to roll out, and not all hardware vendors will update their products in a timely fashion.
Vendors were first warned about the vulnerability back in July, so they had time to prepare patches before it was publicised. The researcher said they didn’t know whether the vulnerability has been exploited by real-world attackers yet — but now it has been made public, the chances of it happening seem likely to increase.