Any wi-fi network and device connected to it is vulnerable to attack, after a security expert identified a major flaw in its underlying security protocol.
Australians are advised to update their devices and routers as soon as possible, while IoT devices are particularly at risk of being hacked.
Dubbed KRACK – Key Reinstallation Attack – the breach allows a hacker to eavesdrop on a private wi-fi network’s traffic and read encrypted information.
The vulnerability was discovered by Mathy Vanhoef, a researcher at Belgian university KU Leuven, who launched a website detailing the breach late on Monday night.
“Attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted,” Vanhoef said in the post.
“This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos and so on.”
KRACK breaches WPA2 encryption, the security protocol used by all modern wi-fi networks.
“The attack works against all modern protected wi-fi networks,” he said.
“The weaknesses are in the wi-fi standard itself and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected. If your device supports wi-fi, it is most likely affected.”
KRACK works by tricking the “handshake” made between a wi-fi network and a device wanting to access it, which involves entering a password. During this handshake, an encryption key is made for all future traffic, meaning that only devices with that unique key can read the data.
But KRACK works by duping the protocol and giving the victim an encryption key that’s already in use, effectively resetting the encryption.
This gives the hacker the ability to decrypt and read any of the messages being sent over that network.
While much of the most sensitive data online is still protected by HTTPS encryption, Vanhoef pointed out that this too has been “previously bypassed”.
A hacker could also “inject data”, like ransomware or malware, into the wi-fi network they attack. The attack is “especially catastrophic” against Linux and Android devices, with it being “trivial” to then “intercept and manipulate traffic”.
The hacker has to be in close proximity to the victim in order to access their wi-fi network though, somewhat mitigating the risks of remote hacking, as Iron Group CTO Alex Hudson explained in a blog post.
“There is a limited amount of physical security already on offer by wi-fi: an attacker needs to be in proximity,” Hudson said.
“So you’re not suddenly vulnerable to everyone on the internet. It’s very weak protection, but this is important when reviewing your threat level.”
An entirely new security protocol for wi-fi isn’t necessary at least, with security patches suring up the system.
Changing the wi-fi password won’t do anything as the hack never accesses the password or actual encryption key.
“To prevent the attack, users must update affected products as soon as security updates become available,” Vanhoef said.
Smaller IoT, wi-fi-connected devices that are unable to be updated are most at risk from the new breach, according to Hudson.
“It’s clear to me that Internet of Things type devices will be the hardest hit,” he said.
“Devices with embedded wi-fi for secondary functional purposes, like TVs and baby monitors, are unlikely to get proper updates.”
Various vendors were notified about the vulnerability in July, Vanhoef said, and US-CERT sent out a broad notification at the end of August.
It’s the first time that WPA2 has been breached with a technique other than password guessing.
This is a big deal, Hudson explained, and could be potentially devastating.
“There are plenty of nasty attacks people will be able to do with this,” he said.
“They may be able to disrupt existing communications. They may be able to pretend to be other nodes on the network. This could be really bad – they won’t be able to pretend to be a secure site like your bank on the wi-fi , but they can definitely pretend to be non-secure resources.”
It isn’t known whether KRACK has been used by anyone other than Vanhoef, although the widespread publicity will likely increase the risks.
“We are not in a position to determine if this vulnerability has been, or is being, actively exploited in the wild,” he said.
Vanhoef will be formally presenting the research at the ACM Conference on Computer and Communications Security in the US in November. He said he first discovered the vulnerability in WPA2 while completing a different research paper. While “staring at code”, he began to wonder how the handshake could be tricked.
“A few weeks later, after finishing the paper and completing some other work, I investigated this new idea in more detail,” Vanhoef said.
“And the rest is history.”