The WPA2 protocol that secures all modern WiFi networks used by smartphones, routers, laptops and internet-of-things (IoT) devices has been cracked, meaning that all data transmitted over such connections is open to hackers and cybercriminals, research suggests.
The issues were found by Mathy Vanhoef, a security researcher at Belgian university KU Leuven. The flaw, not actually in products but instead found in the WiFi standard itself, means that credit card numbers, passwords, chats, emails and documents could all be hijacked.
“Any device that uses WiFi is likely vulnerable,” the security expert warned – a shocking assertion as so much of modern technology relies on the networks.
He said any information previously thought to be encrypted is currently at risk, adding that the technique – branded Key Reinstallation Attack, or “Krack” – is able to bypass the security of devices running Android, Linux, Windows, MediaTek, OSX and more.
Vanhoef wrote: “The attack works against all modern protected Wi–Fi networks.
“Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites.”
The Krack attack – which needs attackers to be in close range of a target – takes advantage of WPA2’s “4-way handshake” system which devices joining a network use to communicate securely.
To prevent the attack, users must update all affected products as soon as security updates become available – but in some cases this may take weeks.
The attack is “exceptionally devastating” against Linux and Android 6.0, the researcher found.
Vanhoef said that it was “trivial” to intercept Android data and that 41% of devices running the OS are at risk to one variant of his key reinstallation attack.
According to Google statistics, released in May this year, there are now more than two billion monthly active Android devices in use around the world.
Changing your WiFi network password will do nothing to stop the attack, the research said.
Android devices are vulnerable to attack iStock
Instead, Vanhoef said all individual devices should be updated when patches emerge. Additionally, the firmware of routers will need to be urgently updated when possible.
Some vendors with vulnerable products have known about the issue since mid-July this year. Meanwhile US CERT, a division of Homeland Security, sent out an advisory to some of the impacted firms on 28 August 2017.
Older hardware may never receive updates.
Experts do not know if the bug is being actively exploited by hackers.
The WiFi Alliance, a US body which oversees security of devices using the protocol, said the issues should be able to be resolved with “straightforward software updates.”
Alex Hudson, a security researcher, said on his website that the only answer for some Android devices was to switch off the WiFi function completely.
He wrote: “There are plenty of nasty attacks people will be able to do this.
“They may be able to disrupt existing communications. They may be able to pretend to be other nodes on the network. This could be really bad.”
He continued: “You can think of this a little bit like your firewall being defeated. WiFi encryption mainly functions to keep other devices from talking on your network (the security otherwise has been a bit suspect for a while).
“If that no longer works, it makes the devices on your network a lot more vulnerable – attackers in proximity will now be able to talk to them.”
More on the WiFi flaw is set to be revealed on 1 November 2017 during the Black Hat Europe conference. The full research paper has now been made available for download.