Serious “KRACK” vulnerability puts nearly every Wi-Fi network at risk, opens sensitive data to hackers

SmartCompany, October 17, 2017

A massive vulnerability has been found in the WPA2 security protocol used by the majority of modern wireless networks, allowing potential hackers to steal sensitive data just by being in range of a vulnerable network.

The vulnerability, called the “key reinstallation attack” or “KRACK” flaw, was discovered by Belgian security researcher Mathy Vanhoef and released in a research paper online, warning users of a “serious weakness” in the WPA2 protocol.

“An attacker within range of a victim can exploit these weaknesses using key reinstallation attacks (KRACKs). Concretely, attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted,” Vanhoef wrote.

“This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on.

“The attack works against all modern protected Wi-Fi networks.”

WPA2 and its associated encryption methods, such as WPA, have been long considered as the gold standard in wireless network security and encryption, and have been used widely as the recommended security level for modern wireless networks for years.

Affected devices are not just limited to desktop or laptop computers, with the researchers warning Android smartphones could be some of the worst affected by the newly discovered vulnerability.

Vanhoef first alerted vendors to the vulnerability in August, and as a result, many operating systems such as Microsoft’s Windows and Apple’s macOS and iOS have been patched with fixes for the vulnerability, given users have been vigilant with updating their systems.

However, many Linux-based systems and wireless router firmwares have yet to be updated, with many companies currently working on a fix.

SMEs should update systems immediately

For businesses and business owners, founder of IT services firm Combo David Markus believes there’s a great deal of risk when operating on unpatched networks both in and out of the office.

“Nearly all Wi-Fi networks are now at risk, so this means if you’re at the airport or a hotel, assume it hasn’t been patched yet and don’t look at anything sensitive or use anything that requires a password,” Markus told SmartCompany.

“You have to assume any wireless network has not been patched, and could potentially expose you.”

SME owners keen to put their mind at ease should chase up their router vendors about a patch for the vulnerability and should be keeping their computer systems updated, advises Markus.

“What we thought was secure has been found to not be secure, so it’s back to the stone ages for network security,” he says.

Markus advises business owners to stick to 4G mobile networks when out of the office, and says SMEs could consider returning to wired ethernet connections if they’re not confident about their network security.

However, the main course of action SMEs should take is endeavouring to patch all vulnerable devices as quickly as possible.

“Such is the nature of these exploits that patches will be published relatively quickly, however, I’d estimate about 80% of SMEs and organisations won’t be applying those patches,” Markus says.

“It’s worth wandering around your building with your mobile phone to check the range of your wireless network, as this will give you an idea of how vulnerable you might be.”

For concerned business owners, ZDNet has compiled a list of all available patches currently. If you are concerned, contact the vendor of your Wi-Fi-enabled product.