Wi-Fi using WPA2 security may not be as secure as previously thought.
A weakness in the security protocol means that hackers, if within range, can potentially steal sensitive data or attack a computer using malware, according to researchers at KU Leuven in Belgium.
Mathy Vanhoef, a postdoc security researcher in the computer science department at KU Leuven who discovered the weakness, published details of the flaw on Monday, Oct. 16.
“Adversaries can use this attack to decrypt packets sent by clients, allowing them to intercept sensitive information such as passwords or cookies,” he wrote. “The attack works against all modern protected Wi-Fi networks.”
While Android, Linux, Apple, Windows, and other operating systems and devices are vulnerable, Vanhoef says Linux and Android 6.0 or higher are the most vulnerable because they can be tricked into installing or re-installing an all-zero encryption key.
Using what Vanheuf calls a Key Reinstallation AttaCKs (KRACKs), he showed how someone could get data from an Android device by tricking the user into installing an old key.
“Essentially, to guarantee security, a key should only be installed and used once,” Vanheuf writes, “Unfortunately, we found this is not guaranteed by the WPA2 protocol.”
The United States Computer Emergency Readiness Team (CERT) issued a warning on Sunday, in response to the vulnerability.
“The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection and others,” the alert says, according to The Guardian.
The good news is that someone who wants to exploit WPA2’s weakness has to be within Wi-Fi range, and any network that has additional security, such as virtual private networks (VPN) and secure shell (SSH) communications, should be protected.
To prevent an attack, Vanheuf recommends installing a security patch once it becomes available, and in the meantime, being conscious that any info accessed or transmitted via an unsecured website could be public.
Even secured websites, those with “https” in the URL, he warns, are not necessarily safe. “This extra protection can (still) be bypassed in a worrying number of situations,” Vanheuf wrote, listing a number of examples.