License article

KRACK Wi-Fi flaw opens nearly every internet-connected device to surveillance by hackers

Show comments

A newly-discovered security flaw affects virtually every Wi-Fi device, and could render your home network as readable to hackers as the free Wi-Fi at a coffee shop.

Belgian Researcher Mathy Vanhoef has detailed a method of breaking WPA2, the security protocol used by the large majority of routers and devices to secure internet connections. By utilising the flaw, which Mr Vanhoef is calling KRACK (for Key Reinstallation Attack), malicious actors could potentially eavesdrop on the traffic of any access point they were physically near.

Up Next

Darwin residents urged to stay indoors

Video duration

More National News Videos

A few tips on becoming a cybersecurity expert

In the age of phishing and hacking, here are three steps to help you become a cybersecurity expert.

Companies are currently rolling out updates to computer and mobile operating systems, as well as firmware for routers and other internet devices, that address the problem.

"The attack works against all modern protected Wi-Fi networks," Mr Vanhoef says on a website he created to share information on the flaw. "If your device supports Wi-Fi, it is most likely affected."

Beyond monitoring a network to steal or spy, hackers could also interrupt and affect the flow of information, he says.

"Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites."


The minister assisting the Prime Minister for cyber security, Dan Tehan, said the Australian Cyber Security Centre is investigating the issue, but in the meantime Australian organisations and individuals should "patch or update your software and applications when new versions become available".

Mr Vanhoef said operating systems including Android, Linux, and those made by Microsoft and Apple were all vulnerable to the exploit, although the nature of iOS and Windows devices meant the impact wouldn't be as severe as on other systems. The attack, however, was "exceptionally devastating" for devices that run Android 6.0, he says.

Though first released in 2015, Google data from October 2017 shows that Android 6.0 is the version running on the majority of internet-connected Android devices. In a statement, the company said it was aware of the issue and would be patching any affected devices "in the coming weeks." 

MR Vanhoef says he first alerted vendors to the flaw in July and August 2017.

Apple has reportedly issued a fix in the latest beta versions of its iOS, macOS, tvOS, and watchOS platforms.

In a statement, Microsoft said it had released a security update for "all supported versions of Windows".

"Customers who applied the update, or have automatic updates enabled, will already be protected. We continue to encourage customers to turn on automatic updates to help ensure they benefit from the latest protections available," the statement said.

Many operating systems and applications (including web browsers) use additional security methods to prevent eavesdropping, but while sensitive data like credit card information might be hard for eavesdropping hackers to extract, it wouldn't be impossible.

"Although websites or apps may use HTTPS as an additional layer of protection, we warn that this extra protection can (still) be bypassed in a worrying number of situations," Mr Vanhoef says.

He acknowledges that some of the hacking scenarios listed at his website would be impractical for most attackers to pull off, but he still suggests updating the software on any "client device" (i.e. computers, phones or anything you use to connect to the internet) as soon as possible, and consider updating your router's firmware as an added precaution.

The Wi-Fi Alliance, an industry group that represents hundreds of Wi-Fi technology companies, said the issue "could be resolved through a straightforward software update."

The group said in a statement it had advised members to release patches quickly and recommended that consumers quickly install those security updates.

With agencies