Home and corporate Wi-Fi networks — and all the data, photos and messages transmitted across them — could be vulnerable to hackers, according to a computer security researcher in Belgium.
The vulnerability is in WPA2, the main protocol that protects Wi-Fi networks. Hackers can use a technique known as key reinstallation attacks, or Krack for short, to intercept information sent over networks that users thought were encrypted, the researcher says.
“Nobody has ever found this vulnerability,” said Matthew Green, assistant professor of computer science at Johns Hopkins University. “It’s pretty serious.”
Who does this affect?
WPA2 is the “industry standard” and has been heavily relied upon as the “best level of protection for your information,” said Emma Garrison-Alexander, vice dean for cybersecurity and information assurance in the graduate school at the University of Maryland University College.
“It’s really the fundamental way our wireless communication is protected today,” she said.
Mathy Vanhoef, the researcher who discovered the protocol vulnerability, said on his website that any device that uses Wi-Fi is probably vulnerable. That means a router, a phone, a laptop, a smart TV or even a Wi-Fi enabled refrigerator that uses WPA2 protocol could be susceptible.
Vanhoef said the attack works against all modern protected Wi-Fi networks, and that his team found during its research that systems powered by Android, Apple, Windows, Linux and others were all affected by “some variant” of the attacks.
Are some operating systems more susceptible than others?
Vanhoef said on his site that the key reinstallation attack was “exceptionally devastating” against Linux and Android 6.0 or higher.
What’s the worst-case scenario?
A hacker could exploit this vulnerability in a Wi-Fi network and use it to capture the content of victims’ emails, browsing data to see what websites they visit, credit card information from online purchases, or photos and videos sent to friends.
“Any data information sharing that’s depending on that protocol for security” could be exposed, Garrison-Alexander said.
Should I be freaking out?
Yes and no.
While the security implications are grave, researchers believe attackers must be physically proximate to their victims, and extremely skilled in hacking. That makes attacks against individuals less likely, at least for now, than attacks against corporate targets, which transmit large amounts of payment information, experts said.
What should users do to protect themselves?
Cybersecurity researchers advise that users download a patch, or fix, from their device and router manufacturers as soon as they are available.
Microsoft Corp. said in a statement that the company released security updates last week and that users who have Windows Updates enabled and applied the security updates are automatically protected.
An Apple spokesman confirmed that the fix for the vulnerability is already patched into some devices that run beta versions of all of the company’s operating systems, including Mac OS, iOS, Watch and TV. A software update will be coming in a few weeks to patch the rest.
Google said in a statement that it is aware of the issue and will be patching any affected devices in the coming weeks. The company said Android partners have also been notified and will be issuing patches “as quickly as possible.”
Websites protected by HTTPS and encrypted email features could offer users an additional layer of protection, said Avi Rubin, professor of computer science at Johns Hopkins University and technical director of the university’s information security institute.
Concerned users could also avoid password-less file-sharing and avoid performing sensitive transactions on devices that connect to many Wi-Fi networks or have many unencrypted apps.