Belgian security researchers have found a critical leak in the wireless security standard "WPA2", currently the most used encryption method for WiFi networks. The attack on the WPA2 encryption technology has been called KRACK, an abbreviation for Key Reinstallation Attacks.
The vulnerability allows attackers to gain access to a password protected WiFi network. They can eavesdrop on internet traffic and with some versions of the WPA2 standard, it's even possible to send malcious traffic to connected devices.
An attacker has to be physically close to the WiFi network in order to exploit the vulnerability and only internet traffic that doesn't go over HTTPS can be spied on. More and more websites and apps use HTTPS connections, which add an additional layer of encryption, and can therefore not be eavesdropped on.
In their report (PDF) the researchers state that every WiFi device is vulnerable to the KRACK attack. Devices running Android 6.0 and later are even more vulnerable due to a bug in the operating system, according to the researchers. This bug makes it even simpler to intercept and manipulate internet traffic. Affected Android versions currently run on about 50% of all Android devices currently in use worldwide.
Google has announced it will release a patch on the 6th of November, however many older Android devices no longer receive security updates and will thus remain vulnerable.
The KRACK attack circumvents the encryption of the WPA2 connection. This is possible thanks to a bug in the 'handshake' part of the standard that happens when devices connect to a WiFi router.
WPA2 is the most used security method for WiFi networks to encrypt passwords. The standard was for a long time considered the best security measures, its predecessor WEP was already cracked about 10 years ago. The vulnerability does not make the WiFi password visible to the attacker.
The American Computer Emergency Readiness Team (CERT) already issued a warning for the leak. Due to the findings of the security researchers, password protected WiFi networks are now just as vulnerable as open WiFi networks.
It's possible to patch the vulnerability by not allowing re-usage of the encryption keys during the authentication process, according to the researchers. This can be done by patching the router, or the devices that connect to it. If one of the devices is patched, the KRACK attack no longer works. Researchers advice to update devices that connect with a network first.
It's unknown when or if, manufacturers of electronic devices will release security updates. Currently there have no updates been released for operating systems like Android, iOS, Windows and MacOS.
