The US computer security watchdog warned on Monday of a security flaw in Wi-Fi encryption protocol that might allow one to eavesdrop or hijack devices using wireless networks.
The disclosure by the government’s Computer Emergency Response Team may potentially allow hackers to snoop on or take over millions of devices which use Wi-Fi. The agency, part of the Department of Homeland Security, said the flaw was discovered by researchers at the Belgian university KU Leuven. The flaw has been dubbed KRACK, Key Reinstallation AttaCK, because it allows attackers to insert a new “key” on a Wi-Fi connection that keeps data private.
News site Ars Technica said the discovery was a closely guarded secret for weeks to allow Wi-Fi systems to develop security patches. “Attackers can exploit the flaw in WPA2 – the name for the encryption protocol – to read information that was previously assumed to be safely encrypted,” the KU Leuven researchers said. “This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. The attack works against all modern protected Wi-Fi networks,” they added.
The researchers said depending on the network configuration, it was also possible to inject and manipulate data. “An attacker might be able to inject ransomware or other malware into websites,” they said.
Security researchers said the newly discovered flaw was serious because of the ubiquity of Wi-Fi and the difficulty in patching millions of access points. “Everyone needs to be afraid. Attackers can decrypt a lot of Wi-Fi traffic, with varying levels of difficulty depending on your precise network setup,” said Rob Graham of Errata Security.
The Wi-Fi Alliance, an industry group that sets standards for wireless connections, said computer users should not panic. “There is no evidence that the vulnerability has been exploited maliciously, and Wi-Fi Alliance has taken immediate steps to ensure users can continue to count on Wi-Fi to deliver strong security protections,” it said. “Wi-Fi Alliance will test the vulnerability within our global certification lab network. We have provided a vulnerability detection tool for use by any Wi-Fi Alliance member,” it added.