Hackers have found a way to work around the security layer that protects Wi-Fi networks, according to a recent CNBC report. This hack could make it possible for people to listen to anyone’s Internet-connected communications, according to research done by Mathy Vanhoef and Frank Piessens of Katholieke Universiteit (KU Leuven), a Belgium university.
The security protocol that protects modern Wi-Fi networks is WPA2. Vanhoef and Piessens’ research shows hackers managed to manipulate the cryptographic elements behind the security. Since the bug, dubbed Key Reinstallation Attack (Krack for short), is an issue for the security standard rather than an individual device, it can impact any devices connected to a Wi-Fi network. Research shows operating systems like Google’s Android, Apple’s iOS and Microsoft’s Windows are all vulnerable to this attack.
The way “Krack” works is when a user enters a correct password to access a Wi-Fi network, the next step is for a new encryption key to be generated to encrypt any following traffic. Hackers can now manipulate this process with “Krack.” They basically manipulate and replay the cryptographic “handshake” messages according to the research. It’s important to note that the attacker has to be within range of a victim for it to work.
As for who could fall victim to “Krack”, it’s any device connected to a Wi-Fi Device. The research shows that the breach could be devastating to a certain version of Linux and especially so to devices that run Android 6.0 and above. According to data from Google, half of Android devices run this version.
Vendors of products that were affected were alerted in mid-July. Vanhoef let the United States Computer Emergency Readiness Team (CERT) know about the vulnerability, who then let vendors know about it in late August.
Vanhoef says it’s not necessary to change your Wi-Fi password, but rather make sure all devices and the firmware of a person’s router are updated and continue to use WPA2 protocol.
The researcher said vendors of products that were affected were notified around July 14. Vanhoef then disclosed the vulnerability to the United States Computer Emergency Readiness Team (CERT), which sent out a notification to vendors on Aug. 28. Meanwhile, the U.S. Department of Homeland Security Computer Emergency Response Team suggested installing vendor updates on any products that were affected like Cisco Systems-provided routers.
Companies have also taken preventive measures. Microsoft released a security update, Google’s Android devices containing a security patch level of November 6, 2017 or later are protected and Apple has a remedy that’s in beta mode, but will be available to everyone soon.