Microsoft already has a fix for the WPA2 vulnerability

Share

They apply a layer of encryption to the data transmitted, protecting the information from being deciphered by other Wi-Fi-enabled devices in the immediate area.

This is particularly worrying because WPA2 is the most secure WiFi security protocol now available in general use.

During his investigations, Vanhoef discovered that Android, Apple, Linux and Windows users are all affected by some variant of the attacks.

Spark is liaising with device manufacturers as a matter of urgency to understand when they will have patches available for their devices and the process for installing those patches on devices.

Without getting too into the weeds on the technology behind the flaws, what they allow the hacker to do essentially is make a carbon copy of the user's WiFi network and use that duplicated network as a "middle man" between the device and the network.

If you need to use Wi-Fi, stick to sites that use HTTPS encryption, or hop on a virtual private network (VPN) to potentially hide all of your network traffic. The hacker only needs to be within range of your Wi-Fi-not logged into your network-to take advantage of it and steal your data.

Device and OS vendors are now working on security updates.

Pretty sneaky, Microsoft. While some vendors were scrambling to release updates to fix the KRACK Attack vulnerability released today, Microsoft, quietly snuck the fix into last week's Patch Tuesday.

Sounds great, but in practice a great many products on the CERT list are now designated "unknown" as to whether they are vulnerable to this flaw.

Although this isn't a surefire way to protect yourself from an attack, it's a good idea to stay away from public Wi-Fi networks until the issue has been completely mitigated. This can allow attackers to force the sites to drop back to transmitting standard HTTP data.

The Wi-Fi exploit is knows as "KRACK" - short for Key Reinstallation Attacks.

Now about 41 percent of Android devices run software vulnerable to this "exceptionally devastating" variant of the attack, Vanhoef said.

Microsoft today issued an emergency Windows security update to patch vulnerabilities in the Wi-Fi Protected Access II (WPA2) protocol used to secure wireless networks. This could involve passwords, credit card numbers, photos and messages sent over a network to be stolen, or cyber attacks to be inserted into the traffic. With our novel attack technique, it is now trivial to exploit implementations that only accept encrypted retransmissions of message 3 of the 4-way handshake.

"If your device supports Wi-Fi, it is most likely affected", Vanhoef says.

The Wi-Fi Alliance, an industry group which sets standards for wireless connections, said computer users should not panic. Improperly configured HTTPS websites will also leak data-if you don't happen to notice that the little "https" has suddenly gone missing from your URL bar, you could be in trouble.

Intel has confirmed the KRACK flaws affect its Wind River Linux-based embedded systems used in IoT devices.

Vanhoef has a full paper on Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 in.PDF format that you can grab here, if you really want to dive into the nuts and bolts of it all.

Share