Vulnerability in WPA2 encryption blamed for leaving the door wide open for private data theft
Half of Android devices are susceptible to an "exceptionally devastating" strain of a new computer hack which leaves almost every Wi-Fi device vulnerable.
Information about Key Reinstallation Attacks, or Krack for short, was published online on October 16. The site explains how a Belgian computer researcher discovered a critical flaw in how Wi-Fi's WPA2 encryption works.
The report claims any modern device connected to a Wi-Fi network can fall victim to the attack, which could potentially see the theft of personal information, passwords, images, messages and more from the connected device. The hack, which can only be performed when in Wi-Fi range of the victim, bypasses HTTPS website security and does not require the password of the victim's Wi-Fi network.
Mathy Vanhoef, who discovered the significant security flaw, claimed all Wi-Fi devices are susceptible, including Apple OS X and iOS devices, Android smartphones and tablets, plus computers running Windows, Linux and Mac. "If your device supports Wi-Fi, it is most likely affected," he said.
The researcher added that devices running Android 6.0 Marshmallow and above are particularly at risk to an "exceptionally devastating variant" of the attack. According to Google, over 50 percent of Android devices used today run version 6.0 or newer.
GearBrain has contacted Google for comment. The search giant has told other media outlets that it is "aware of the issue" and "will be patching any affected devices in the coming weeks."
Implicated manufacturers were contacted in mid-July, Vanhoef said, before a broader alert was sent out in late-August. By that point, Vanhoef realised this was a critical flaw with the Wi-Fi protocol itself, and not just a bug on specific devices.
The exploit focuses on a random number generator system know as nonce (a number that is only used once), which is used as part of a four-way handshake between a device and the Wi-Fi network it connects to.
Vanhoef asks everyone to install the next software update onto their devices as soon as possible. As the attack is client-side, it is the phones, tablets and computers wirelessly connected to your router which are at risk, rather than the router itself. Changing your Wi-Fi password will not help, but it is claimed incoming software updates issued to all affected device will fix the vulnerability.
As an example of how the attack works, Vanhoef published a video showing how an Android device can be exploited when logging into a seemingly secure website - in this case, dating site Match.com - via a Wi-Fi network with WPA2 encryption. Vanhoef explains how his hack is "able to decrypt all data that the victim transmits".
Vanhoef adds: "Our attack is not limited to recovering login credentials (email addresses and passwords). In general, any data or information that the victim transmits can be decrypted.
Krack is claimed to be "especially catastrophic" against version 2.4 and above of a Wi-Fi client used on Linux and called wpa_supplicant. Because Android uses wpa_supplicant, Vanhoef says: "Android 6.0 [Marshmallow] and above also contain this vulnerability. This makes it trivial to intercept and manipulate traffic sent by these Linux and Android devices."
In the case of these Android devices, the exploit forces the victim's handset to use a predictable all-zero encryption key.
A presentation explaining more about the attack will be given at the Computer and Communications Security (CCS) conference in Dallas on November 1.
US-CERT (Computer Emergency Readiness Team) has issued an advisory that warns: "US-CERT has become aware of several key management vulnerabilities in the four-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol. The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others. Note that as protocol-level issues, most or all correct implementations of the standard will be affected."
The final section of Vanhoef's blog post explaining the hack asks: "So you expect to find other Wi-Fi vulnerability?", to which he replies by quoting Master Chief from the Halo video game: "I think we're just getting started".