It was found that third parties could exploit the 4-way handshake of the Wi-Fi Protected Access II protocol (WPA2) and essentially eavesdrop on the traffic between computers, devices and access points.
Mathy Vanhoef, a post-doctorate researcher from KU Leuven, discovered the flaw earlier this year while working on a research paper. Vanhoef says he was double-checking a claim he made in the paper about the OpenBSD operating system’s implementation of the 4-way handshake when he discovered the flaw.
While looking at the code he decided to call a certain function twice and guessed it would reset the encryption key generated during the 4-way handshake. And it did. Recalling the function allows a third party to exploit the 4-way handshake that establishes a key for encrypting traffic.
What does this mean?
Basically this means that if a third party is within range of a victim, they can intercept your Wi-Fi traffic and access data without having to crack your Wi-Fi password. This works on Android, Apple, PC and Linux devices and all modern routers – so most devices are vulnerable.
Vanhoef writes “… attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted. This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. The attack works against all modern protected Wi-Fi networks.” He adds that third parties could even manipulate data using this flaw, depending on the network configuration. Vanhoef confirms the flaw is present in WPA and WPA2 security standards.
Following his discovery, Vanhoef disclosed his findings to relevant parties who have reached out to affected suppliers. Subsequently the Wi-Fi Alliance has a plan to help remedy the discovered vulnerabilities in WPA2.
How to protect your WPA2 connection:
Sadly, there’s not much average users can do to protect themselves.
- When possible, use cellular data instead of Wi-Fi connections. Data connections work on a completely different type of encryption.
- Stick to HTTPS connections. HTTPS are secure connections between websites and will encrypt data between browsers and websites. Web browser Firefox has an extension plug-in that secures all websites. Check it out here.
- Run updates. It is widely reported that updates will be rolled out in the coming weeks to remedy the flaw. So keep your devices up to date. The Charged blog keeps an updated list of all device and router updates, here (click).
That’s all the info we have at the moment. If you’d like, head over to the KRACK Attacks website for more information. Alternatively, we’ll update this post as we get more information.