Digital security researchers publicly reveal vulnerability in WPA2 WiFi protocol
Thursday, October 19, 2017
On Monday, digital security researchers Mathy Vanhoef and Frank Piessens of Belgium's KU Leuven university publicly disclosed a security vulnerability in the (wireless local-area networking) protocol, which they called (for Key Reinstallation Attack). Their study claimed KRACK affects every modern device using Wi-Fi; it can be fixed by a software update, researchers said.
Vanhoef wrote, "Attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted. This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos and so on." Vanhoef notified vendors about the flaw in July, including UNIX-like operating system. "If your device supports Wi-Fi, it is most likely affected. [...] In general, any data or information that the victim transmits can be decrypted", he wrote.
The study papers, which were submitted for review on May 19, were kept in confidence allowing companies to fix the security flaw. The United States-based (CERT) informed vendors on August 28. The said it "could be resolved through a straightforward software update." OpenBSD released their software patch on August 30.
Exploring the flaw which affected every device the researchers had tested, UK said "the attacker would have to be physically close to the target". But due to this flaw, an attacker can send malware or ransomware on the websites, Vanhoef claimed.of the
Linux-based operating systems including v6.0 and higher are especially affected by this flaw, while and are not as vulnerable as Android by this flaw as they do not fully implement WPA2.
Microsoft reportedly has released security patches for Windows 7, 8, 8.1 and 10. Google said Android operating systems would receive the updates in the software update scheduled to be made available on November 6. Apple has implemented the patch in the beta versions of their operating system iOS, macOS, tvOS and watchOS, however it is yet to roll out patches for stable operating systems.
WPA2 protocol has been used for more than a decade, and has been compulsory for Wi-Fi since 2006. KRACK would also affect various home appliances which can be controlled over Wi-Fi, within the so-called "Oxford University said, "We can be sure a lot of these devices won’t be patched[...] Whether that matters for this attack or only for some future attack is yet to be seen."". Andrew Martin from
The study and its findings are scheduled for presentation at the
- "KRACK Attacks: Breaking WPA2" — , October 19, 2017 (date of access)
- Richard Gray. "Google and Apple yet to fix Wi-Fi hole in a billion devices" — , October 18, 2017
- Romain Dillet. "Microsoft already published a KRACK fix, Apple and Google are working on it" — , October 17, 2017
- Alex Hern. "'All wifi networks' are vulnerable to hacking, security expert discovers" — , October 16, 2017
- "Wi-Fi security flaw leaves passwords exposed, say experts" — , October 16, 2017
- Mathy Vanhoef and Frank Piessens. "Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2" — October 19, 2017 (date of access)