Researchers reveal flaw in Wi-fi security

17 Oct 2017

Researchers have discovered a major wi-fi flaw called Krack, which puts the connections of businesses and homes around the world at risk. The flaw concerns an authentication system, widely used to secure wireless connections.

According to a website which disclosed the vulnerability the core WPA2 protocol itself is affected, which renders devices running the Android, Linux, Apple, Windows, and OpenBSD operating systems, as well as MediaTek Linksys, and other types of devices, vulnerable. According to the site, attackers could exploit it to decrypt a wealth of sensitive data that's normally encrypted by the nearly ubiquitous Wi-Fi encryption protocol.

"This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. The attack works against all modern protected Wi-Fi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites."

According to the researchers, the attack method was "exceptionally devastating" for Android 6.0 or above and Linux.

A Google spokesperson said, "We're aware of the issue, and we will be patching any affected devices in the coming weeks."

The US Computer Emergency Readiness Team (Cert) has issued a warning on the flaw.

"US-Cert has become aware of several key management vulnerabilities in the four-way handshake of wi-fi protected access II (WPA2) security protocol," it said.

"Most or all correct implementations of the standard will be affected."

Computer security expert from the University of Surrey Prof Alan Woodward said: "This is a flaw in the standard, so potentially there is a high risk to every single wi-fi connection out there, corporate and domestic, BBC reported.

"The risk will depend on a number of factors, including the time it takes to launch an attack and whether you need to be connected to the network to launch one, but the paper suggests that an attack is relatively easy to launch.

"It will leave the majority of wi-fi connections at risk until vendors of routers can issue patches."