Wi-Fi currently allows almost anyone, anywhere, to access the entire internet in seconds. However, our personal data might not be as safe as we previously thought. Researchers have discovered a massive security flaw that would potentially allow anyone to access any device on a Wi-Fi network. This could potentially put credit card details, private messages, photos, and other forms of data at risk.
The breach is applicable to all major modern devices and operating systems, including Apple, Windows, Linux, and Android.
Researcher Marty Vanhoef wrote, “The attack works against all modern protected Wi-Fi networks. If your device supports Wi-Fi, it is most likely affected.”
The exploit is being referred to as a KRACK attack, which refers to the “key reinstallation attack” that was used to exploit the WPA2 security protocol. In layman’s terms, the attacker can intercept and read sensitive data moving over the network.
However, the attack does have some limitations.
Iron Group CTO Alex Hudson pointed out in his blog that the attack is not without mitigating factors. Any attacker needs to be on the same physical network that you are on. That means that not everyone everywhere will instantly be in danger of attack.
“So, you’re not suddenly vulnerable to everyone on the internet. It’s very weak protection, but this is important when reviewing your threat level,” Hudson said.
Secondly, if a website uses an additional level of encryption, such as HTTPS, it is not vulnerable.
Still, Hudson warned, “There are plenty of nasty attacks where people will be able to do this. They may be able to disrupt existing communications. They may be able to pretend to be other nodes on the network. This could be really bad … they can definitely pretend to be non-secure resources. Almost certainly there are other problems that will come up, especially privacy issues with cheaper internet-enabled devices that have poor security.”
Despite this, the problem is patchable. Android devices, in particular, are at risk. Fixes can be developed for the problem, but it will take time and resources.
Vendors were warned about the vulnerability in July so they would have time to prepare patches before the exploit was publicised. The research also indicates that there were no known uses of the attack yet, but noted that publishing it would likely lead to an increase in attacks in the future.
Featured Image: depositphotos/oigro