Security flaw in Wi-Fi leaves millions at risk
The US government and security researchers worldwide have issued warnings of a newly discovered flaw in a widely used Wi-Fi encryption protocol.
The US government’s Computer Emergency Response Team (CERT) issued a warning saying the security flaw can open the door to hackers seeking to eavesdrop or hijack devices using wireless networks.
“Exploitation of these vulnerabilities could allow an attacker to take control of an affected system," said CERT.
The agency’s warning follows research by computer scientists at the Belgian university KU Leuven, who named the security flaw KRACK, for Key Reinstallation Attack.
Ars Technica has reported that the discovery was a closely guarded secret for weeks in order to allow Wi-Fi systems to develop security measures.
The Wi-Fi encryption protocol with the security flaw, WPA2, allows hackers “to read information that was previously assumed to be safely encrypted," said a blog post by KU Leuven researcher Mathy Vanhoef.
“This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. The attack works against all modern protected Wi-Fi networks.”
Mathy also said the flaw may allow an attacker “to inject ransomware or other malware into websites.”
The Belgian researchers said in a research paper that devices on all operating systems may be vulnerable to KRACK, including 41 per cent of Android devices.
The risk
According to researchers, the flaw is dangerous due to the difficulty in patching millions of wireless systems.
“Wow. Everyone needs to be afraid," said Rob Graham of Errata Security in a blog post.
“It means in practice, attackers can decrypt a lot of Wi-Fi traffic, with varying levels of difficulty, depending on your precise network setup.”
Researchers at Finland-based security firm F-Secure said the discovery of the flaw confirms longstanding concerns about Wi-Fi systems’ vulnerability.
“The worst part of it is that it’s an issue with Wi-Fi protocols, which means it affects practically every single person in the world that uses Wi-Fi networks," F-Secure said in a statement.
F-Secure researchers said Wi-Fi users can minimise the risks by using virtual private networks and by updating devices including routers.
The Wi-Fi Alliance, an industry group who sets standards for wireless connections, said computer users should not panic.
“There is no evidence that the vulnerability has been exploited maliciously, and Wi-Fi Alliance has taken immediate steps to ensure users can continue to count on Wi-Fi to deliver strong security protections,” the group said in a statement.
“Wi-Fi Alliance now requires testing for this vulnerability within our global certification lab network and has provided a vulnerability detection tool for use by any Wi-Fi Alliance member."
On October 10, Microsoft released a patch to protect users of Windows devices.
“Customers who have Windows Update enabled and applied the security updates, are protected automatically," Microsoft said.
A Google spokesman said, “We’re aware of the issue, and we will be patching any affected devices in the coming weeks.”