Monday in CE: Massive WiFi Security Flaw Leaves Devices Vulnerable to Hack

The Krack security exploit was discovered by Mathy Vanhoef, a cybersecurity expert at Belgian university KU Leuven, who will present his research at the Computer and Communications Security (CCS) conference later this month.

The bad news is there are more wireless devices sitting on our networks than ever.

If there aren’t any, it’s a good habit to check every day, since companies will be rolling out patches over the coming weeks, with some already bring implemented.

KRACK is a different sort of attack than previous exploits, in that it doesn’t go after devices, it goes after the information you use them to send.

It’s at this point that for our United Kingdom readers I should point out that nonce means something quite different when it comes to cryptography.

As a result, all devices with correct implementations of Wi-Fi are affected in one way or another, although their exact vulnerability depends on the implementation, Vanhoef said in a website published on Monday morning. The vulnerability can also be put to use to inject malware or ransomware into systems as well, which underscores a huge risk that both corporates and domestic users face in the aftermath of the discovery of the security flaw.

Sebastien Jeanquier, said: “Although this is a significant attack against the WPA2 protocol and the details of these vulnerabilities have been disclosed, no tooling has been made available thus far, although it is not inconceivable that attackers could create their own tools to perform such an attack”. The KRACK vulnerabilities allow the rogue network to reuse old keys and reset the counter to make them valid again.

“We show that an attacker can force these nonce resets by collecting and replaying retransmissions of message three of the four-way handshake”. The KRACK attack doesn’t break this encryption, so it could help secure your data. It might also mean it’s possible to forge Dynamic Host Configuration Protocol settings, opening the door to hacks involving users’ domain name service. However, Ars Technica reports that Android and Linux users are more vulnerable to severe attacks than Windows or iOS users.

Even secured websites, those with “https” in the URL, he warns, are not necessarily safe. Now devices don’t realize they are using the fake router. That allows the attacker to decrypt data packets that are being transmitted.

Researchers posted a demonstration of the attack where Android and Linux-based systems “can be tricked into (re) installing an all-zero encryption key”. You can read the full explanation of the vulnerability here.

So, while our PCs are protected because we have automatic updates enabled, you can download the updates for your PCs by referring to the table provided by Microsoft, if you haven’t enabled automatic updates. There is also a detailed FAQ, courtesy of Aruba. “As always, wi-fi users should ensure they have installed the latest recommended updates from device manufacturers”. According to The Verge, Microsoft has already released a fix for customers using Windows devices.

“In 2001, the WiFi security protocol WEP was cracked and it was soon deemed unsafe to use in order to keep your data and indeed networks safe from prying eyes”, Mark James, a security specialist at ESET, says in an email to Newsweek.