Serious weaknesses in the security protocol used for all modern protected Wi-Fi networks, both personal and enterprise, have been exposed by a Belgian researcher who warns cyber attackers can gain access to and manipulate sensitive data or even inject malware into a network.
According to Mathy Vanhoef, a doctoral researcher in computer security from Leuven, Belgium, cyber attackers in close range of a victim can use what he refers to as a “key reinstallation attack”, also known as KRACK, to exploit serious weaknesses in WPA2.
“Attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted,” he explained in an online post.
“This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites.
“The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected.”
Vanhoef said Android, Linux, Apple, Windows, OpenBSD, MediaTek and Linksys products, amongst others, are all affected by some variant of the attacks. To prevent KRACKS, he said users must update affected products as soon as security updates become available.
In a statement on the KRACK Wi-Fi exploit, McAfee’s Chief Technology Officer for APAC, Ian Yip said the risk was ‘reduced somewhat’ by the fact that an attacker must be in the proximity of a victim’s wireless device or network.
“For example, an attacker cannot use this exploit to compromise a wireless network or device from an indeterminate location halfway across the world,” he said. “However, this is significant in that there is no readily available alternative, uncompromised protocol to use on a local wireless network until patches are deployed. We should note that while the exploit compromises wireless networks, point-to-point encryption between devices and websites or applications should still be secure.
“In the meantime, use physically connected wired access points where available. In the event you have to use a wireless network, behave as you would when using a public internet connection. Risks can be further mitigated by ensuring you access all websites over HTTPS where available, and use VPNs at all times.”
A Microsoft spokesperson told The Verge that the company had released a security update on 10 October to protect its customers from the exploit. Meanwhile, the same article noted Google would release a fix for its Pixel and other devices within “the comings weeks”.