The new security flaw allows attackers to read Wi-Fi traffic between devices and wireless access points, and even modify it to inject malware into websites. The flaw was discovered by researchers as part of a project into finding flaws in Wi-Fi protocols.
KRACK
The proof-of-concept exploit is called KRACK, short for Key Reinstallation Attacks, and it has been a closely-guarded secret for several weeks before being announced Monday morning at 8:00 a.m. EST, reports ArsTechnica.
Researchers Mathy Vanhoef and Frank Piessens of Belgian university KU Leuven created a website that discloses the bug affects the core WPA2 protocol itself and is effective against devices running the Android, Linux, Apple, Windows, and OpenBSD operating systems, as well as MediaTek Linksys, and other types of devices.
“This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. The attack works against all modern protected Wi-Fi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites.”
“If your device supports Wi-Fi, it is most likely affected,” they said on the website, www.krackattacks.com, that they set up to provide technical information about the flaw and methods for attacking vulnerable devices. It is not clear how difficult it would be to exploit the flaw or even if any devices have been hacked.
Researchers sent out notifications to specific vendors in July, and a broad notification was distributed in late August. Security researchers note that it’s not worth changing your Wi-Fi password as this won’t help prevent attacks. The Wi-Fi Alliance, an industry group representing hundreds of Wi-Fi technology companies, said the issue “could be resolved through a straightforward software update,” according to Reuters.