Severe Wi-Fi Security Flaw Puts Millions of Devices at Risk 'Krack Attack' allows hackers to steal credit cards, bank info and more.

By Steve Dent

This story originally appeared on Engadget

Shutterstock

Researchers have discovered a key flaw in the WPA2 Wi-Fi encryption protocol that could allow hackers to intercept your credit card numbers, passwords, photos and other sensitive information. The flaws, dubbed "Key Reinstallation Attacks," or "Krack Attacks," are in the Wi-Fi standard and not specific products. That means that just about every router, smartphone and PC out there could be impacted, though attacks against Linux and Android 6.0 or greater devices may be "particularly devastating," according to KU Leuven University's Mathy Vanhoef and Frank Piessens, who found the flaw.

Here's how it works. Attackers find a vulnerable WPA2 network, then make a carbon copy of it and impersonate the MAC address, then change the Wi-Fi channel. This new, fake network acts as a "man in the middle," so when a device attempts to connect to the original network, it can be forced to bypass it and connect to the rogue one.

Normally, WPA2 encryption requires a unique key to encrypt each block of plain text. However, the hack described in the Krack Attack paper forces certain implementations of WPA2 to reuse the same key combination multiple times.

The problem is made worse by Android and Linux, which, thanks to a bug in the WPA2 standard, don't force the client to demand a unique encryption key each time. Rather, they allow a key to be cleared and replaced by an "all-zero encryption key," foiling a key part of the handshake process. In some cases, a script can also force a connection to bypass HTTPS, exposing usernames, passwords and other critical data.

The system takes advantage of a flaw in the "handshake" method to direct users to the malicious network. Neither Wi-Fi passwords nor secret keys can be obtained, the researchers say, as the hack works by forging the entire network. As such, it can't be used to attack routers, but hackers can still eavesdrop on traffic, making it particularly dangerous for corporations.

As shown above, the researchers did a proof-of-concept attack on Android, and were able to decrypt all the victim's transmitted data. They point out that this will "not work on a properly configured HTTPS site," but will work on a "significant fraction" that are poorly set up. Other devices, like those running MacOS, Windows, OpenBSD and other operating systems, are affected to a lesser extent. "When attacking other devices, it is harder to decrypt all packets, although a large number of packets can nevertheless be decrypted," say the researchers.

After earlier, more limited hacks, the WPA2 protocol has been suspect for a while, so many security folks were already bracing themselves for something bad. If you still doubt the seriousness of it, Alex Hudson, for one, is actually advising Android users to "turn off Wi-Fi on these devices until fixes are applied." He adds that "you can think of this a little bit like your firewall being defeated."

As such, you can protect yourself to a great extent by sticking with sites that have solid, proven HTTPS security. And of course, the attack won't work unless the attacker is nearby and can physically access your network.

The problem should be relatively easy to fix. A firmware change can force routers to require a dedicated certificate for each handshake, instead of relying on the one already generated. And, as the security researchers who discovered it say, "implementations can be patched in a backwards-compatible manner."

That means if you patch your Android device and not your router, you can still communicate and be safe, and vice-versa. Nevertheless, they also advise to patch all your devices as soon as security updates are available. For more details about the hack, check this very detailed FAQ from Aruba Networks.

Want to be an Entrepreneur Leadership Network contributor? Apply now to join.

Science & Technology

This AI is the Key to Unlocking Explosive Sales Growth in 2025

Tired of the hustle? Discover a free, hidden AI from Google that helped me double sales and triple leads in a month. Learn how this tool can analyze campaigns and uncover insights most marketers miss.

Business News

'We're Not Allowed to Own Bitcoin': Crypto Price Drops After U.S. Federal Reserve Head Makes Surprising Statement

Fed Chair Jerome Powell's comments on Bitcoin and rate cuts have rattled cryptocurrency investors.

Business News

A New Hampshire City Was Named the Hottest Housing Market in the U.S. This Year. Here's the Top 10 for 2024.

Zillow released its annual lists featuring the top housing markets, small towns, coastal cities, and geographic regions. Here's a look at the top real estate markets and towns in 2024.

Business Ideas

63 Small Business Ideas to Start in 2024

We put together a list of the best, most profitable small business ideas for entrepreneurs to pursue in 2024.

Business Ideas

Is Your Business Healthy? Why Every Entrepreneur Needs To Do These 3 Checkups Every Year

You can't plan for the new year until you complete these checkups.

Making a Change

Expand Your Global Reach with Access to More Than 150 Languages for Life

Unlock global markets with this language-learning platform.