If you thought Wi-Fi networks protected with the WPA2 protocol were secure, think again. Researchers have identified a flaw in the standard that can allow cybercriminals to decrypt commercial and consumer traffic.
The flaw not only could allow hackers to steal passwords and financial data supposedly encrypted upon transmission, but under the right conditions bad actors could inject malware or manipulate data on the network.
Key re-installation attacks, or KRACK, take place during the four-part “handshake” that is supposed to deliver a fresh, encrypted session every time a device connects to the network. The 14-year-old standard, thought to be hacker-proof, can be subverted by interrupting the handshake during the third step and resetting the encryption key to zero. That unencrypts the session, leaving everything open to prying eyes.
Researchers Mathy Vanhoef and Frank Piessensv of Katholieke Universiteit Leuven (KU Leuven) in Belgium, discovered the problem in a handful of devices in mid-July. Following standard cybersecurity practice, prior to revealing the exploit to the public they alerted manufacturers of the devices they tested so the manufacturers could patch the problem.
However, further sleuthing uncovered an ominous fact: The flaw was not a bug in the devices or the way the protocol was implemented but in the Wi-Fi standard itself. Even correctly implemented WPA2 installations are vulnerable, Vanhoef said.
Piessensv and Vanhoef alerted the United States Computer Emergency Readiness Team (CERT), which began contacting vendors in August. CERT gave manufacturers a six-week lead before disclosing the weakness on Monday.
At the same time, the researchers posted a video demonstrating how they compromised an Android 6.0 smartphone, but all operating systems attached to any unpatched Wi-Fi network are vulnerable, they said.
One security expert, Robert Siciliano, chief executive officer for IDTheftSecurity.com, told NBC News he would be surprised if the flaw hasn’t already been exploited.
“This vulnerability has been in existence, some say, for up to 14 years,” he said, “which means that it’s entirely possible someone has already determined this flaw in the past and has exploited it.”
To ensure the security of your network and devices, check with router and device manufacturers for firmware updates and software patches. Many manufacturers and internet service providers pushed patches to devices during the grace period between discovery and public reveal, but some are still wrestling with the issue.
“I think most manufacturers will have patches soon,” Rudis Bob Rudis, chief data scientist at security data and analytics company Rapid7, told NBC News. “But if you don’t see a patch for your home network equipment in at least a week, you should get a new Wi-Fi access point for your house.”
The other — and potentially better — option: a virtual private network. A quick Google search will turn up all kinds of options ranging in price from free to a few dollars a month. Although hackers may still be able to intercept traffic on a VPN, they won’t be able to crack the encryption.
