Chevron icon It indicates an expandable section or menu, or sometimes previous / next navigation options. HOMEPAGE

Researchers found a massive security flaw in Wi-Fi networks — here's what you should know

padlock security hacking lock broken
Nick Carter/Flickr (CC)

The INSIDER Summary:

  • A major security flaw has been found in a protocol that protects modern Wi-Fi.
  • If your phone or computer is Wi-Fi enabled then it's probably at risk, researchers say.
  • Any attacker needs to be on the same Wi-Fi network as you to target you.

Researchers have discovered a massive security flaw in the security used to protect Wi-Fi networks — potentially allowing them to steal credit card details, private messages, photos, and more.

The vulnerability affects all major modern devices and operating systems, including Android, Apple, Windows, Linux, and more.

"The attack works against all modern protected Wi-Fi networks," researcher Mathy Vanhoef wrote on a website outlining his findings.

Advertisement

"If your device supports Wi-Fi, it is most likely affected."

The weakness was found in the security protocol WPA2, and is being referred to as a KRACK attack, referring to the "key reinstallation attack" that was used. In short, it allows an attacker to intercept and read sensitive data being transferred over the network.

This is, security professionals agree, a very serious vulnerability — one that affects devices on a massive scale.

Any attacker needs to be physically on the same Wi-Fi network as you

krack attack logo hacking security
The vulnerability even has a logo. KRACK Attack

There are some mitigating factors, as Iron Group CTO Alex Hudson pointed out in a blog post.

Advertisement

For starters, any attacker exploiting the vulnerability needs to physically be on the same Wi-Fi network as you. "So, you’re not suddenly vulnerable to everyone on the internet," he wrote. "It’s very weak protection, but this is important when reviewing your threat level."

And secondly, if websites often use an additional level of encryption — HTTPS — that hasn't been compromised. So if your bank uses it to secure your financial data, for example, an attacker wouldn't be able to grab it.

Still, Hudson cautioned: "There are plenty of nasty attacks people will be able to do this. They may be able to disrupt existing communications. They may be able to pretend to be other nodes on the network. This could be really bad ... they can definitely pretend to be non-secure resources. Almost certainly there are other problems that will come up, especially privacy issues with cheaper internet-enabled devices that have poor security."

The vulnerability is patchable — but it's still a big problem

Android is particularly at risk from the vulnerability, Vanhoef wrote. But this isn't insurmountable. Fixes can be developed for the problem — but in practice, these will take time to roll out, and not all hardware vendors will update their products in a timely fashion.

Advertisement

Vendors were first warned about the vulnerability back in July, so they had time to prepare patches before it was publicised. The researcher said they didn't know whether the vulnerability has been exploited by real-world attackers yet — but now it has been made public, the chances of it happening seem likely to increase.

Here's the paper outlining the vulnerability with the full technical details:

Advertisement
Security
Advertisement
Close icon Two crossed lines that form an 'X'. It indicates a way to close an interaction, or dismiss a notification.

Jump to

  1. Main content
  2. Search
  3. Account