Hackers can access all modern Wi-Fi networks through a crack in the wireless security protocol WPA2, according to new research published on Monday from the University of Leuven (KU Leuven) in Belgium.
The Wi-Fi hack — aptly named KRACK (Key Reinstallation AttaCK) — means the vast majority of devices and wireless internet traffic are potentially susceptible to malicious attacks and eavesdropping. If your device supports Wi-Fi, it is probably affected, warns Mathy Vanhoef, the KU Leuven security expert who discovered the weakness.
“Attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted,” Vanhoef wrote in his report. “This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. In general, any data or information that the victim transmits can be decrypted. Additionally, depending on the device being used and the network setup, it is also possible to decrypt data sent towards the victim (e.g. the content of a website).”
No, Mom, this isn’t the end of the internet. But it does mean we’ll need to update our devices as soon as possible.
— Digital Trends (@DigitalTrends) October 16, 2017
Many websites today run an additional level of security beyond WPA2 (note the padlock icon next to our URL in your Web browser’s address bar) so personal info passed through these sites is private. Websites without that padlock should be seen as open to the public until KRACK is patched.
There’s also a level of physical security in that a would-be hacker has to be within proximity of the network. We’re not all suddenly exposed to the everyone internet.
According to the report, KRACK affects Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and other operating systems. Some have released patches to address the vulnerability.
Recognizing how widespread the vulnerability was, Vanhoef and his team informed the United States Computer Emergency Readiness Team (CERT) who notified all susceptible vendors on August 28, 2017.
“We’re aware of the issue, and we will be patching any affected devices in the coming weeks,” Google told The Guardian.
“We have released a security update to address this issue. Customers who apply the update, or have automatic updates enabled, will be protected,” Microsoft said.
Security standards have been hacked in the past but this time there’s no new, more secure, and widespread standard to fall back on. So don’t freak out, but be cautious — check for padlocks in your browser’s address bar, update your devices ASAP, and, for god’s sake, use a VPN.