A security expert at Belgian university KU Leuven has discovered a major vulnerability in the Wi-Fi Protected Access II (WPA2) protocol that could a expose a user's wireless Internet traffic, including usernames and passwords that are entered into secure websites. The vulnerability affects most devices and several operating systems, including Android, iOS, Windows, Linux, and OpenBSD.
"Attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted," Marthy Vanhoef, a security expert at Belgian university KU Leuven, wrote in a detailed report (PDF) outlining the vulnerability. "This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos and so on."
Called KRACK, which is short for Key Reinstallation AttaCK, the vulnerability leaves wireless devices susceptible to a man-in-the-middle attack by tricking them into connecting to compromised wireless networks. It does this by exploiting the four-way handshake that all protected Wi-Fi networks have been using for more than a decade to establish a key for encrypting traffic. By taking advantage of this exploit, an attacker can clone a wireless network onto another channel, and then force a target device onto the malicious connection.
"If your device supports Wi-Fi, it is most likely affected," Vanhoef states in his report. "In general, any data or information that the victim transmits can be decrypted … Additionally, depending on the device being used and the network setup, it is also possible to decrypt data sent towards the victim (e.g. the content of a website)."
This is a major deal because WPA2 is the most secure and popular security protocol that is in general use. The good news is this attack is not able to steal data when connecting to a secured website that is properly configured. However, insecure connections to websites, such as those that do not display a padlock in the address bar indicating support for HTTPS, leave your data vulnerable. In addition, even some HTTPS sites can expose your data through this hack, if they are not setup correctly.
The report identified a couple of countermeasures to mitigate this sort of attack. Vanhoef is currently in the process of notifying vendors about KRACK and what changes they can make to routers and access points to protect against it. In addition, the international CERT group based at Carnegie Mellon University has been informing technology companies since late August, so hopefully fixes are right around the corner.