Nearly All Wi-Fi Networks Are Vulnerable to New KRACK Exploit

A serious vulnerability in basically every Wi-Fi network has been discovered. The security flaw could leave millions of networks and devices prone to attacks.

The weakness exists within the WPA2 security protocol that protects and encrypts Wi-Fi networks and their data. The vulnerability could allow attackers to access passwords, e-mails and other data that were once presumed to be secure. In some cases, hackers can inject malicious code or ransomware into a website that a user is visiting.

“This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on,” researcher Mathy Vanhoef wrote. “The attack works against all modern protected Wi-Fi networks.”

The exploit was discovered by security researchers weeks ago, but its revelation was kept a secret until this morning’s scheduled disclosure. A website detailing the vulnerability — and the researcher’s proof-of-concept exploit called KRACK — is now online. According to the site, the researcher’s exploit can be used to steal a plethora of sensitive data.

Vanhoef also uploaded a video showing off the KRACK proof-of-concept exploit attacking a Google Android device. It works by forcing the device to reinstall an all-zero encryption key, rather than the actual key provided by the WPA2 protocol.

In addition to Vanhoef’s public disclosure, the U.S. Computer Emergency Readiness Team has already distributed an advisory to about 100 organizations.

The WPA2 flaw allows attackers to target both Wi-Fi access points, as well as smartphones, computers and other devices connected to vulnerable networks. iOS and Windows are less susceptible to the most severe attacks, but Linux and Android are especially prone to them.

Additionally, Vanhoef said that, while using websites protected by HTTPS can offer another layer of security, these encrypted sites can be improperly configured. This can allow attackers to force the sites to drop back to transmitting standard HTTP data. HTTPS has previously been bypassed in iOS, macOS, Android and even when browsing using a VPN.

Luckily, Vanhoef added, the flaw doesn’t necessarily signal the need for a rollout of a WPA3 standard. The researcher said that WPA2 can be patched via backwards-compatible methods. Due to this, it’s recommended that users update all of their devices and Wi-Fi access points when security updates become available.

As of Monday morning, Apple told iMore’s Rene Ritchie that the vulnerability has been patched in the newest beta versions of iOS, tvOS, watchOS and macOS. Presumably, the official new versions of Apple’s operating systems will contain the patch when they roll out.

How to Protect Your Devices

Currently, it’s recommended that all users update to the latest available software versions, as they’ll render KRACK and similar exploits less effective. While developers and public beta testers will be able to download the newest Apple beta versions, regular users should keep an eye out for upcoming emergency updates. Additionally, here are a few assorted tips to help keep your data safe.

• Update all of your devices that can connect to Wi-Fi as soon as possible.
• Find out if your Wi-Fi router has been patched. If it has, download and install its firmware update.
• Use the HTTPS Everywhere browser extension, provided by the Electronic Frontier Foundation.
• Forego Wi-Fi networks in favor of ethernet connections when possible.
• Consider turning off Wi-Fi on your smartphone. Instead, rely on cellular data which is not prone to the KRACK exploit.
• Don’t rely solely on a VPN. While they can be great for security, KRACK and related exploits can bypass them in certain circumstances.