Protocol-level security flaws in WPA2 may affect ALL Wi-Fi devices!

A security expert at Belgian university KU Leuven has discovered a major vulnerability in the Wi-Fi Protected Access II (WPA2) protocol that could a expose a user's wireless Internet traffic, including usernames and passwords that are entered into secure websites.

In 2001 a vulnerability exposing the Wi-Fi security protocol WEP was cracked, and it was soon deemed unsafe to use. Unlike in past when older WiFi security protocols have been compromised, there is nothing to replace WPA2.

The site adds that even though the likes of Aruba and Ubiquity have updates available to mitigate these vulnerabilities, a large number of WI-Fi devices may not be patched in time or at all by their makers. "As a result, now 31.2 percent of Android devices are vulnerable to this exceptionally devastating variant of our attack".

A top federal government cybersecurity watchdog issued an advisory on Monday, warning users to update their devices to protect against a newly discovered vulnerability that affects almost every modern, protected WiFi network.

When a client device (like a laptop or smartphone) wants to join a network, the four-way handshake determines that both the client device and the access point have the correct authentication credentials, and generates a unique encryption key that will be used to encrypt all the traffic exchanged as part of that connection. For example, a message sent from your phone to a network could be played, or video that your security camera sent to network could be played and all modems are affected.

Instead, Vanhoef said all individual devices should be updated when patches emerge.

The WiFi Alliance, a United States body which oversees security of devices using the protocol, said the issues should be able to be resolved with "straightforward software updates".

Dubbed KRACK, or Key Reinstallation Attacks, the weakness affects "all modern protected Wi-Fi networks", researcher Mathy Vanhoef wrote about his findings.

More news: Las Vegas shooter Stephen Paddock may have been planning Boston attack

WPA2 is used to secure and protect communications between routers, mobile devices and IoT devices. And hackers are able to do this through this KRACK vulnerability. From credit card numbers and private messages to passwords and personal files.

In short, nearly all Wi-Fi devices featuring the WPA2 security protocol are vulnerable to key flaws in its 4-way handshake process.

The attack works against all modern protected Wi-Fi networks.

Ideally, all manufacturers and developers will patch their products to fix this issue.

While he acknowledged that some of the attack scenarios discussed in his research are impractical to pull off, he said the bottom line is that you should still "update all your devices once security updates are available".

Linux's wpa_supplicant v2.6 is also vulnerable to the installation of an all-zero encryption key in the 4-way handshake.

Also, the public announcement about this security weakness was held for weeks in order to give Wi-Fi hardware vendors a chance to produce security updates. "Furthermore, an attacker wishing to target you would need to be within Wi-Fi range of your devices, making this very much a local attack".

  • Toni Ryan