A security researcher has determined that nearly every WiFi device in the world — your phone, your computer, your router, and on and on — has a flaw in their security protocol that makes them vulnerable to hackers that could hijack them, track your activities, or worse.
The bug, known as "KRACK" for Key Reinstallation Attack, exposes a fundamental flaw in WPA2, a common protocol used in securing most modern wireless networks. Mathy Vanhoef, a computer security academic, who found the flaw, said the weakness lies in the protocol's four-way handshake, which securely allows new devices with a pre-shared password to join the network.
That weakness can, at its worst, allow an attacker to decrypt network traffic from a WPA2-enabled device, hijack connections, and inject content into the traffic stream.
In other words: hackers can eavesdrop on your network traffic.
The bug represents a complete breakdown of the WPA2 protocol, for both personal and enterprise devices -- putting every supported device at risk.
"If your device supports Wi-Fi, it is most likely affected," Vanhoef says.
The vulnerability, Vanhoef says, "can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. The attack works against all modern protected Wi-Fi networks."
This includes "devices running the Android, Linux, Apple, Windows, and OpenBSD operating systems, as well as MediaTek Linksys, and other types of devices," Ars Technica reports.
"Depending on the network configuration, it is also possible to inject and manipulate data, Vanhoef says. "For example, an attacker might be able to inject ransomware or other malware into websites."
Before you think that sticking with HTTPS-protected sites will keep you safe, Vanhoef warns that "this extra protection can (still) be bypassed in a worrying number of situations."
"For example," he writes, "HTTPS was previously bypassed in non-browser software, in Apple's iOS and OS X, in Android apps, in Android apps again, in banking apps, and even in VPN apps." You can read the full explanation of the vulnerability here.
ZDNet reports that "News of the vulnerability was later confirmed on Monday by US Homeland Security's cyber-emergency unit US-CERT, which about two months ago had confidentially warned vendors and experts of the bug."
According to Ars Technica, the US-CERT alert was "distributed to about 100 organizations." It read:
US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol. The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others. Note that as protocol-level issues, most or all correct implementations of the standard will be affected. The CERT/CC and the reporting researcher KU Leuven, will be publicly disclosing these vulnerabilities on 16 October 2017.
This is ordinarily the part in a news report where we tell you how to keep yourself safe and/or how officials are fixing this. However, news on either of those topics remains sparse, and ZDnet says as of this morning that "Wi-Fi should be considered a no-go zone for anything mission critical."
Ars Technica takes the matter equally seriously, saying that "people should avoid using Wi-Fi whenever possible until a patch or mitigation is in place. When Wi-Fi is the only connection option, people should use HTTPS, STARTTLS, Secure Shell, and other reliable protocols to encrypt Web and e-mail traffic as it passes between computers and access points."