The KRACK (key reinstallation attacks) research claims this weakness could not only be used to intercept data travelling between your phone and the wi-fi access point, such as passwords and credit card numbers, but also to inject malicious software into websites.
He said any information previously thought to be encrypted is now at risk, adding that the technique - branded Key Reinstallation Attack, or "Krack" - is able to bypass the security of devices running Android, Linux, Windows, MediaTek, OSX and more.
"The attack works against all modern protected Wi-Fi networks", Mathy Vanhoef, one of the TKU Leuven University researchers who discovered the WPA2 vulnerability, wrote. "During our initial research, we discovered ourselves that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others are all affected by some variant of the attacks".
However, the risk is higher for Android smartphone users.The researcher has pointed out that more than 40 percent Android devices are vulnerable to a Wi-Fi-based attack, which can result in consequences such as data theft.
The solution to this problem is to immediately update the device as soon as a security patch becomes available.
"If your device supports Wi-Fi, it is most likely affected", the researchers said. The most used to this day, because supposed to be the most secure is WPA2. Ironically, older Android devices running 5.0 Lollipop or earlier, which are most likely to not receive updates, are less vulnerable than their newer cousins. Note that as protocol-level issues, most or all correct implementations of the standard will be affected.
What is the Krack WPA2 hack? How can it affect such a broad range of devices?
A spokesperson for the National Cyber Security Centre said it would be issuing guidance if needed.
The good news is that information about this vulnerability has been with hardware vendors since at least 14th July according to Vanhoef. That means software updates to smartphones, tablets, desktop and notebook computers will be required, as well so called "Internet of Things" device that connect to routers.
Called Krack, the attack takes advantage of the four-way handshake, a process between a device and a router that has been around for 14 years and is created to deliver a fresh, encrypted session each time you get online.
Users should keep using encrypted Wi-Fi wherever necessary, such as at home and at work.
This vulnerability poses particular problems for ISPs, in terms of insuring every device is patched against this vulnerability.
The disclosure by the government's Computer Emergency Response Team may potentially allow hackers to snoop on or take over millions of devices which use Wi-Fi.
This is hardly the first major security breach to affect Wi-Fi. For users who do not have automatic updates enabled, we suggest you update your Wi-Fi Windows devices immediately.
Vanhoef said his proof-of-concept attacks do not recover the password of the Wi-Fi network, nor do they recover any parts of the fresh encryption key that is negotiated during the 4-way handshake. The original standard for Wi-Fi encryption was named Wired Equivalent Privacy (WEP), a name that proved to be completely inaccurate as flaws were found permitting quick and easy cracking of the encryption.
- North Korean hackers 'stole US-South Korea war plans'
- Jorge Sampaoli Calls for Argentina to Match 'Incredible' Lionel Messi
- Rift To Get New Touch Interface
- Girls will soon be able to join Boy Scouts
- US' Pence departs football game after players kneel
- Joel Embiid agrees to $148 million extension with 76ers
- Harbaugh won't rule out Speight's return this season
- LEADING OFF: NL teams continue series, AL arms get a rest
- The bare minimum on gun control
- Rohingya boat capsize: Death toll rises to 23 as more bodies found