Mathy Vanhoef has discovered what may be the biggest vulnerability of the year – a flaw in the WPA2 protocol used to encrypt Wi-Fi communications.
In the wrong hands, an attacker could exploit the vulnerability in WPA2’s handshake protocols to intercept sensitive information such as passwords. At risk-devices include those running Android, Apple, Linux, OpenBSD and Windows operating systems.
Vanhoef describes the attack as being “exceptionally devastating against Linux and Android 6.0 or higher.”
However, don’t panic too much.
Much of the web these days (and an increasing number of apps) are using HTTPS/SSL for encryption, limiting the opportunities for stealing information through the KRACK attack.
Furthermore, an attacker has to be within range of your Wi-Fi network to launch a KRACK attack against it. This isn’t something that a hacker on the other side of the world can use to spy on you.
Finally, Wi-Fi hardware vendors were informed responsibly of the KRACK attack from July onwards, long before it was made public – meaning that many have been beavering away developing fixes. Accordingly, there is a long list of advisories from many different vendors that you can peruse at your leisure.
The rules haven’t changed – reduce the risk by patching your devices as soon as security updates are released. And, if you have access to a trusted VPN service, use it to add an additional layer of protection!
Oh and a side note. Developers who *hadn’t* been properly following the WPA2 specification ironically found that their software *wasn’t* vulnerable to exploitation. There’s really no justice in the world, is there?
Hear more about KRACK in this episode of the “Smashing Security” podcast:
Smashing Security #048: 'KRACK, North Korea, and an 18th century cyber attack'
Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...
Of course, for the millions of us using (non-new Pixel) Android phones, the carriers will NEVER update this massive breach, nor with the political arm of Comcast (the former FCC) will do jack squat to lean on these a-holes. They will all parrot the same advice: BUY NEW HARDWARE, CA-CHING. There Ain't No Justice.
…within range of your Wi-Fi network…., and the range is?
Reason I ask is that I live in a flat , 7 metres above ground level.
The Range depends on the sensitivity of the antenna on the attacker's device, but it's at least 300 feet (length of a football field), commonly as far as 600 feet and with the right antenna likely to be much further than that. 7 metres = 22 feet, which is well within the range limit of Bluetooth, let alone WiFi.
Thanks although wondering how prominent the antenna are?
Could it be used within a car or would the antenna have to be used in an open area such as a field?