A security researcher at the University of Leuven in Belgium recently discovered a serious weakness in Wi-Fi Protected Access 2 (WPA2), a protocol that secures almost all modern Wi-Fi networks, potentially exposing wireless Internet traffic to eavesdroppers and attackers.
The flaw is known as KRACK, short for Key Reinstallation AttaCK, and it could allow a hacker within range of your router, smartphone, computer or other wireless device to break encryption.
“An attacker could see conversations between your computer and an access point — even insert additional communications. It would appear as though it’s coming from your device but it would be coming from the attacker,” said Professor Urs Hengartner, a member of the Cryptography, Security, and Privacy Group at the David R. Cheriton School of Computer Science.
“The flaw affects wireless networks so an attacker would need to be nearby. Imagine a wireless video camera on your home network that you use to observe your living room remotely. A neighbour could potentially decrypt the traffic coming from your camera.”
The vulnerability is in the WPA2 protocol, rather than in any specific device or software. However, devices and operating systems are affected to varying degrees depending on how they implement the WPA2 protocol. Among the most susceptible to KRACKing are devices that use Android 6.0 and Linux operating systems.
“I would rank the issue a seven out of ten for seriousness. Update and patch your Wi-Fi-enabled devices if you can. Unfortunately, many Android devices are affected and no patch is available. And many IoT devices such as wireless cameras often can’t be patched,” Hengartner said.
With Android and Linux, the attack is particularly malicious as it turns off encryption so you think you have encryption but in fact you do not. “If you’re an Android or Linux user who uses Wi-Fi and your device hasn’t been patched you should be careful. The tools to exploit the vulnerability will only get stronger,” Hengartner explained.
“WPA2 has been the industry standard for 13 years. My guess is that an amendment to the protocol will be released that stipulates more clearly what devices need to do, what kind of checking to do when it gets a message.”
For now, Hengartner advises that the best thing to protect yourself is to install patches for as many of your devices as possible as soon as they are available, and if you’re sharing sensitive data only use sites with HTTPS encryption.