KRACK Wi-Fi flaw opens nearly every internet-connected device to surveillance by hackers
Advertisement

KRACK Wi-Fi flaw opens nearly every internet-connected device to surveillance by hackers

A newly-discovered security flaw affects virtually every Wi-Fi device, and could render your home network as readable to hackers as the free Wi-Fi at a coffee shop.

Belgian Researcher Mathy Vanhoef has detailed a method of breaking WPA2, the security protocol used by the large majority of routers and devices to secure internet connections. By utilising the flaw, which Mr Vanhoef is calling KRACK (for Key Reinstallation Attack), malicious actors could potentially eavesdrop on the traffic of any access point they were physically near.

Companies are currently rolling out updates to computer and mobile operating systems, as well as firmware for routers and other internet devices, that address the problem.

"The attack works against all modern protected Wi-Fi networks," Mr Vanhoef says on a website he created to share information on the flaw. "If your device supports Wi-Fi, it is most likely affected."

'If your device supports Wi-Fi, it is most likely affected', researcher says.

'If your device supports Wi-Fi, it is most likely affected', researcher says.

Advertisement

Beyond monitoring a network to steal or spy, hackers could also interrupt and affect the flow of information, he says.

"Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites."

The minister assisting the Prime Minister for cyber security, Dan Tehan, said the Australian Cyber Security Centre is investigating the issue, but in the meantime Australian organisations and individuals should "patch or update your software and applications when new versions become available".

Mr Vanhoef said operating systems including Android, Linux, and those made by Microsoft and Apple were all vulnerable to the exploit, although the nature of iOS and Windows devices meant the impact wouldn't be as severe as on other systems. The attack, however, was "exceptionally devastating" for devices that run Android 6.0, he says.

Though first released in 2015, Google data from October 2017 shows that Android 6.0 is the version running on the majority of internet-connected Android devices. In a statement, the company said it was aware of the issue and would be patching any affected devices "in the coming weeks."

MR Vanhoef says he first alerted vendors to the flaw in July and August 2017.

Apple has reportedly issued a fix in the latest beta versions of its iOS, macOS, tvOS, and watchOS platforms.

In a statement, Microsoft said it had released a security update for "all supported versions of Windows".

"Customers who applied the update, or have automatic updates enabled, will already be protected. We continue to encourage customers to turn on automatic updates to help ensure they benefit from the latest protections available," the statement said.

Many operating systems and applications (including web browsers) use additional security methods to prevent eavesdropping, but while sensitive data like credit card information might be hard for eavesdropping hackers to extract, it wouldn't be impossible.

"Although websites or apps may use HTTPS as an additional layer of protection, we warn that this extra protection can (still) be bypassed in a worrying number of situations," Mr Vanhoef says.

He acknowledges that some of the hacking scenarios listed at his website would be impractical for most attackers to pull off, but he still suggests updating the software on any "client device" (i.e. computers, phones or anything you use to connect to the internet) as soon as possible, and consider updating your router's firmware as an added precaution.

The Wi-Fi Alliance, an industry group that represents hundreds of Wi-Fi technology companies, said the issue "could be resolved through a straightforward software update."

The group said in a statement it had advised members to release patches quickly and recommended that consumers quickly install those security updates.

With agencies

Tim Biggs

Tim is the editor of Fairfax's technology sections.

Most Viewed in Technology

Loading

Morning & Afternoon Newsletter

Delivered Mon–Fri.

By signing up you accept our privacy policy and conditions of use