Researchers Discover WiFi Vulnerability Affecting Basically Every Device on Earth
by Kate Cox , consumerist.org, 16 October 2017
They've given it the catchy name of 'Krack Attack'
Consumers have been bombarded by bad news about digital security this year, most recently the massive Equifax data breach revealed in September. Now, security researchers have discovered a problem with how even the best WiFi networks are protected. As far as they know, no criminal has taken advantage of the vulnerability. But, it puts everyone’s web communications at risk.
And that means everyone. The researchers, based out of the University of Leuven in Belgium, say that every WiFi network in every home, office, and coffee shop around the world shares this flaw. And they have given it the catchy name of “Krack Attack.”
What’s the Danger?
You may remember the last time you connected your phone, laptop, or other device to a new WiFi network. When it asked you for the network password, it also said something about the security protocol, perhaps listing something like “WEP” or “WPA2,” or asking you to choose from a list of types.
Older standards, WEP and WPA, have known weaknesses and aren’t considered the safest go-to any longer. The WPA2 security protocol is the current, modern standard and has been for about a decade.
Unfortunately, that WPA2 standard is also where the researchers found this vulnerability.
The flaw has to do with the actual encrypted messages that devices send each other to authenticate when they connect. The researchers proved that someone can manipulate those connections, abuse the vulnerability, and gain access to communications that are supposed to be secure.
The upshot is that a malicious actor can use this weakness “to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on.” Basically, any data you can send, they can access. Someone could also use the same vulnerability to add extra data onto your device that should not be there—like, for example, ransomware or other malware.
Because the weak point is in the actual standard, it’s not limited to a single network or device. It’s pervasive—every single device that can communicate in this way, which is basically all of them, is potentially susceptible. The list includes all Android, Apple, Linux, and Windows devices—your standard phones and laptops—as well as the routers they connect to, from companies like Linksys. Some devices, like those running Android are Linux, may be easier for hackers to manipulate than others, but none are safe.
If you speak network security, the research team explained the details, published a paper, and included a proof-of-concept demonstration on their website.
US-CERT, the division of the Department of Homeland Security that handles digital security, has confirmed their findings.
Is There Anything You Can Do?
There’s nothing that individuals can do; changing your WiFi password or using a different device won’t help, since the flaw is embedded deep in the very basis of your internet connection.
But there is good news: This flaw is patchable.
Device manufacturers were all notified about the flaw before it was made public, and are working on updates to fix this particular danger. The best thing any home user can do is install security updates as soon as your devices prompt you to, and make sure you keep any computer, phone, or connected device as up-to-date as the manufacturer allows.
Editor's Note: This article was adapted from a story that appeared on Consumerist.com.