[Update]: Patched by many; here's the complete list of companies that have already sent a fix
Wi-Fi may not be a secure connectivity option, as the latest research has revealed that the key encryption protocol may have been broken. WPA2, the security protocol used to protect Wi-Fi connections is potentially putting millions of users at risk. If the risks are even close to true, this may result in a Bluetooth-like situation where users are asked to keep it turned off until they need to use it. However, considering our dependency on app refreshes and notifications, this is not a viable way out.
Attacker needs to be "in range" for this WPA2 exploit to work
A new exploit called KRACK (Key Reinstallation AttACK) could potentially make it possible for attackers to eavesdrop Wi-Fi traffic passing between computers and access points. "We discovered serious weaknesses in WPA2, a protocol that secures all modern protected Wi-Fi networks," the security researchers wrote. "An attacker within range of a victim can exploit these weaknesses using key reinstallation attacks (KRACKs)."
"Concretely, attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted. This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. The attack works against all modern protected Wi-Fi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites."
It is likely that the fix may already be in the works looking at how the research was kept a secret and its publication was delayed for months. In its advisory, the United States Computer Emergency Readiness Team (US-Cert) has also warned over 100 organizations of the possible ramifications of KRACK.
"US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol. The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others. Note that as protocol-level issues, most or all correct implementations of the standard will be affected. The CERT/CC and the reporting researcher KU Leuven, will be publicly disclosing these vulnerabilities on 16 October 2017."
The vulnerabilities were discovered by researchers from a Belgian university: KU Leuven, Mathy Vanhoef and Frank Piessens. Vanhoef said that the attack exploits the four-way handshake that is used to establish a key for encrypting traffic. During the third step, the key can be sent multiple times, which could be used to undermine encryption. It is yet to be publicly revealed what exactly happens during this attack, but it appears that the attacker can piggyback their way into a network to spy, collecting the data that's being transmitted and to potentially inject malicious files too.
This is a core protocol-level flaw in WPA2 wi-fi and it looks bad. Possible impact: wi-fi decrypt, connection hijacking, content injection. https://t.co/FikjrK4T4v
— Kenn White (@kennwhite) October 15, 2017
Researchers have said that all devices that support Wi-Fi are "likely" affected, including:
- Linux (researchers write that Android & Linux are the most vulnerable)
The researchers also said that the attack works "against both WPA1 and WPA2, against personal and enterprise networks, and against any cipher suite being used (WPA-TKIP, AES-CCMP, and GCMP)". Which essentially means everyone is vulnerable, making it absolutely essential that you install the patches when they are available.
However, researchers noted that changing your Wi-Fi password won't help and that all routers may not require security updates. They have insisted on checking with your router vendor to make sure you remain protected.
While it may seem like a catastrophic situation, the requirement for the attacker to be within range would hopefully only make it useful in targeted attacks. Also note that if you are visiting websites supporting https or using VPN services, your information will remain protected since the attack affects the security of the network itself, not if the data is being encrypted in addition to WPA2 - unless these extra protections are vulnerable to attacks themselves.
- Technical details will be updated in this post later today.
[Update]: the research is now live [PDF].