The bad news is your Wi-Fi connection is probably under attack. The good news is companies are already developing patches to keep you protected.
Security researcher Mathy Vanhoef was the talk of the internet today after he discovered a major security flaw in the Wi-Fi Protected Access II (WPA2) security protocol, which is used to safeguard most wireless computer networks. The online weakness has been dubbed Krack because it utilizes so-called key reinstallation attacks.
The attack works against all devices and Wi-Fi networks that use WPA2—which includes just about every Wi-Fi enabled device on Earth. It also impacts almost every operating system, including Apple (AAPL), Windows, Linux version 2.4 or above and Android version 6.0 or above. Over 40 percent of Android devices are vulnerable to Krack.
Hackers can read personal information such as credit card numbers, passwords, emails and photos by forcing devices to connect to a bogus public Wi-Fi network. They can also use Krack to inject ransomware into websites and manipulate data.
The one mitigating factor is that any attacker exploiting the vulnerability needs to be on the same Wi-Fi network as the person they’re trying to hack.
Vanhoef’s explainer includes a video in which he demonstrates a Krack attack against a fully updated Android smartphone. The attacker is able to decrypt all the data on a user’s Match.com profile in only 4 minutes.
Sites that use secure HTTPS connections as an extra layer of security also aren’t guaranteed protection from Krack. As Vanhoef points out, hackers have successfully exploited HTTPS vulnerabilities in Apple’s iOS, Android apps and banking apps.
One bit of good news is that Vanhoef told most wireless vendors about Krack in July and August, while he was completing his research. Therefore, many companies have security updates designed to combat it either in the works or already on the market.
Microsoft (MSFT) released a Krack patch to all users today, which fixes the problem on all devices that support Windows 8 or above. The company is urging all customers to apply the update as soon as possible.
Google (GOOGL) also announced that a November 6 security update on all Android phones (including Pixels) will include protections against Krack.
Apple hasn’t detailed its Krack fix yet and did no respond to an Observer request for comment.
But the Wi-Fi Alliance, which certifies that devices conform to certain standards of interoperability, announced today that it will require all wireless companies (including Apple) to test their networks for Krack vulnerabilities. The alliance is actually providing a tool to its members that will allow them to do just that—it’s based on Vanhoef’s own detection tool.
So while online security is serious business, it looks like wireless companies have already started “krack”ing the code.