It isn’t often we hear of a vulnerability that could potentially affect every device you own, but a new type of attack being detailed today could very well do that. Described as key reinstallation attacks (KRACK, for short), these new exploits “work against all modern protected WiFi networks.” That, in case you were wondering, is bad news.
Mathy Vanhoef of imec-DistriNet, KY Leuven discovered the vulnerability and describes it on a website dedicated to these new attacks. On that site, he notes that “if you device supports WiFi, it is most likely affected” by this new vulnerability. How can it affect such a broad range of devices? As it turns out, KRACKs rely on and exploit a weakness in WPA2, the protocol which secures pretty much every WiFi network out there.
By taking advantage of these vulnerabilities, hackers can eavesdrop on the transmission of data, potentially reading that information even if it was encrypted. As worrying as that is, it doesn’t stop there, as KRACK could also allow those hackers to inject things like malware into websites.
While this can affect any WiFi-connected device, it seems to be particularly troublesome for Android devices running 6.0 or higher and Linux devices. Vanhoef notes that these devices are at greater risk because they can be “tricked into (re)installing an all-zero encryption key.” Though that makes it easier to decrypt the packages received from Android and Linux devices, don’t take to mean that your other devices are safe.
Vanhoef also notes that any information transmitted by one of these devices can be decrypted. So, not only do you have to worry about things like login credentials falling into the wrong hands with KRACK, but also private items like photos and chat transcripts. Vanhoef even made a video to show how easy it is to eavesdrop on an Android device and make off with user data, which you can see posted above.
The good news – if there’s any to be gleaned from all of this – is that the attackers need to be in-range of their target WiFi network to make a KRACK work. That may decrease the average consumer’s risk of being attacked, but that isn’t very encouraging for businesses who might be high-profile targets for attackers.
Even worse is the realization that router updates won’t fix this problem, as the attack works at the client level. This means that each of your devices will need to be patched to remove the risk of being compromised. If you own a device that can connect to WiFi, it will likely need to be patched, and Vanhoef recommends getting in touch with the manufacturers of each of those devices to figure out when those patches will arrive.
Make no mistake, this is certainly a big problem, and even though it might be troublesome getting in touch with all of your device manufacturers, it’ll be worth it in the long haul. After all, staying off WiFi isn’t a very good alternative. Be sure to read Vanhoef’s full report on KRACK, which comes complete with an FAQ that should answer most questions you have about the vulnerability.