'Krack' wi-fi breach means every modern network and device is vulnerable to hack, researcher says
‘If your device supports wi-fi, it is most likely affected’
Your support helps us to tell the story
From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.
At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.
The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.
Your support makes all the difference.Every modern wi-fi network, and every device that has connected to one, could potentially have been hacked after a huge breach, researchers have said.
If the breach – known as Krack – is used, then it can give access to almost everything that has been sent over the network. Any device that used that same network could potentially have been hit by the problem.
“This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on,” wrote security researcher Mathy Vanhoef, whose work was noted by the US government. “The attack works against all modern protected wi-fi networks.”
Mr Vanhoef also noted that almost every modern computer, phone and even fridge could be hit by the attack. “Note that if your device supports wi-fi, it is most likely affected,” he wrote on a page devoted to the vulnerability.
And almost anything that’s sent over an affected network could be read. Some technologies like HTTPS make it far harder to read what’s being sent over a network – but even that has been “bypassed in a worrying number of situations”, wrote Mr Vanhoef.
On that same page, he issued a plea to the companies who make the devices to issue a patch to fix it as soon as possible. He said that users should instal them as soon as they’re available.
Vendors were told about the problems around July and August, according to Mr Vanhoef. Some updates have already been pushed out.
Android phones are likely to be the most damaged by the attack. Not only are they already particularly vulnerable, they are also incredibly slow to receive updates – meaning that the patch could take a while to arrive, which is especially concerning now that the exploit is public.
The “Krack” attack works by exploiting the “handshake” that a wi-fi network and a device give to each other when the latter wants to join. Usually, the two decide on an encryption key for all future traffic, meaning that each device will only be able to read data if it has that key.
But researchers have found that process can be tricked, by giving the victim a key that’s already in use and so allows someone to decrypt and read any of the messages that are being sent over the network.
“Currently, all modern protected wi-fi networks use the” specific kind of handshake that is liable to attack, wrote Mr Vanhoef. “This implies all these networks are affected by [some variant of] our attack”, he wrote, noting that it didn’t simply apply to any one form of wi-fi protected access in particular.
But he notes that it’s possible to patch up the problem, and that devices will go on working as they did before. It’s for that reason that he urges everyone to update their software as soon as possible.
Other than that, there is very little that ordinary users can do about the problem. Changing your wi-fi password will make no difference, for instance, since the attack doesn’t use that password.
It’s not clear whether the attack has already been used, though the chance of that is now much higher since the exploit is public. “We are not in a position to determine if this vulnerability has been [or is being] actively exploited in the wild,” Mr Vanhoef writes on the page.
But he notes that the behaviour could actually happen by accident, as the result of a bug.
Join our commenting forum
Join thought-provoking conversations, follow other Independent readers and see their replies
Comments