“This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on,” wrote security researcher Mathy Vanhoef, whose work was noted by the US government. “The attack works against all modern protected wi-fi networks.”
Mr Vanhoef also noted that almost every modern computer, phone and even fridge could be hit by the attack. “Note that if your device supports wi-fi, it is most likely affected,” he wrote on a page devoted to the vulnerability.
And almost anything that’s sent over an affected network could be read. Some technologies like HTTPS make it far harder to read what’s being sent over a network – but even that has been “bypassed in a worrying number of situations”, wrote Mr Vanhoef.
On that same page, he issued a plea to the companies who make the devices to issue a patch to fix it as soon as possible. He said that users should instal them as soon as they’re available.
Vendors were told about the problems around July and August, according to Mr Vanhoef. Some updates have already been pushed out.
Android phones are likely to be the most damaged by the attack. Not only are they already particularly vulnerable, they are also incredibly slow to receive updates – meaning that the patch could take a while to arrive, which is especially concerning now that the exploit is public.
The “Krack” attack works by exploiting the “handshake” that a wi-fi network and a device give to each other when the latter wants to join. Usually, the two decide on an encryption key for all future traffic, meaning that each device will only be able to read data if it has that key.
But researchers have found that process can be tricked, by giving the victim a key that’s already in use and so allows someone to decrypt and read any of the messages that are being sent over the network.
“Currently, all modern protected wi-fi networks use the” specific kind of handshake that is liable to attack, wrote Mr Vanhoef. “This implies all these networks are affected by [some variant of] our attack”, he wrote, noting that it didn’t simply apply to any one form of wi-fi protected access in particular.
But he notes that it’s possible to patch up the problem, and that devices will go on working as they did before. It’s for that reason that he urges everyone to update their software as soon as possible.
Other than that, there is very little that ordinary users can do about the problem. Changing your wi-fi password will make no difference, for instance, since the attack doesn’t use that password.
It’s not clear whether the attack has already been used, though the chance of that is now much higher since the exploit is public. “We are not in a position to determine if this vulnerability has been [or is being] actively exploited in the wild,” Mr Vanhoef writes on the page.
But he notes that the behaviour could actually happen by accident, as the result of a bug.
More about: #cybersecurity