WPA2 encryption can now be hacked with new KRACKS method
Security Researcher Mathy Vanhoef of Imec-DistiNet discovered a weakness within the WPA2 protocol, potentially affecting all the wireless routers supporting WPA2, an attacker can take advantage of this vulnerability by using key re-installation attacks (KRACKS).
The attack can be used to intercept passwords, Emails, chat messages and even your credit card Information. Consider if your network is not configured properly the attacker can inject ransomware and other malware into the Web sites you visit.
He says that the weakness is in the Wi-Fi Standard itself even though if your router is perfectly configured you will be affected by this attack. Mathy suggests updating the Router’s Firmware when the Vendor issues the Updates to your Router.
“Note that if your device supports Wi-Fi, it is common that it is affected. During our initial research, we learned ourselves that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others, are all affected by some modification of the attacks. For more data about specific products, consult the database of CERT/CC, or contact your vendor.”
In the research paper, he explains the attack as “exceptionally destructive” against Android 6.0:
“Because Android uses wpa_supplicant, Android 6.0 and above further contains this vulnerability. This presents it trivial to hijack and manipulate traffic sent by these Linux and Android devices,” he addresses on the Krackattacks site explaining the flaw. “Note that currently, 41% of Android devices are exposed to this exceptionally devastating variant of our attack.”
He also says that attacks on MacOS and OpenBSD are easier to execute although we agree that some of the attack scenarios in the paper are rather impractical, do not let this fool you into believing key re-installation attacks cannot be abused in practice.
Vanhoef further explains how the attack can still work against Web Apps and native Apps that are using HTTPS, explaining how this added encryption layer can be avoided in what he describes as a worrying number of conditions he flags multiple prior instances of HTTPS being avoided “in non-browser software, in Apple’s iOS and OS X, in Android apps, in Android apps again, in financial apps, and even in VPN apps.
See also a Proof-Concept-Video of the Attack: