KRACK exposes Wi-Fi WPA2 protocol vulnerability
Oliver Bradshaw | Last Updated:
Technical VPN Analyst
When setting up a new Wifi network you are presented with the option to use WPA2 as your main security protocol. Released in 2004, the WPA2 protocol became the global industry-standard for Wifi encryption and security, keeping all of your data transmitted over the wireless network safe and secure.
Although, on Monday morning, cyber-security expert Mathy Vanhoef uncovered a weakness, dubbed KRACK (Key Reinstallation Attack), within the WPA2 protocol that allowed him to entirely decrypt all of the data transmitted through the Wifi network.
If used by an attacker, this method of decryption can allow access sensitive information, such as passwords, payment information and basically anything transmitted via the Wifi network.
Vanheof stated that the vulnerability is so severe that all modern Wifi networks, Android smartphones and Apple, Windows and Linux based PC’s are affected by at least one of the various types of KRACK attacks. Further expressing his concern for the vulnerability, Vanheof said, “If your device supports wifi, it is most likely affected.”
Who is affected by this Wi-Fi vulnerability?
As the WPA2 protocol is the standard used by almost every wireless network around the world to encrypt data, this type of hack leaves almost every device using WPA2 vulnerable to being hacked. Emma Garrison-Alexander, vice dean of cybersecurity at Maryland University stated that WPA2 was thought to be the, “best level of protection for your information.”
A myriad of devices from TV’s, laptops or even IOT devices such as refrigerators and vacuum cleaners could be affected by the KRACK vulnerability, giving attacks access to highly-sensitive data, such as the layouts of homes and keys to digital security locks.
The severity of this vulnerability has drawn a response from Britains National Cyber Security Centre, with the agency issuing an alert stating, “Research has been published today into potential global weaknesses to wifi systems. The attacker would have to be physically close to the target and the potential weaknesses would not compromise connections to secure websites, such as banking services or online shopping.”
“The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection and others.”
What’s being done about it?
Although the security threats of this attack are severe and have the ability to grant anyone access to passwords, bank details, messages, photos and more, there is one thing that makes the attack unlikely to homes. The hacker must be within range of your wireless network.
This ‘requirement’ will make it far less likely for individuals to be attacked. The same cannot be said for corporate networks.
In statements today, both Apple and Microsoft have confirmed that the latest beta’s of Apple’s iOS, macOS, tvOS, and watchOS are all protected from the attack, as are Microsoft systems with Windows Updates enabled.
As for Android and ChromeOS, Google has stated that they are actively working “as quickly as possible,” on a security patch to ensure that Android smartphones and ChromeBooks are shielded from the attack.
It’s important to remember that there are more security walls in place within browsers and smartphones such as the encrypted HTTPS protocol, adding an extra layer of protection to users’ data.