A new vulnerability could impact all devices using WPA2 protocols to secure their Wi-Fi networks, according to a report released Monday.
The "serious weakness" in the WPA2 protocol allows for attackers to not only read and steal information transmitted across Wi-Fi, but also potentially manipulate the data or insert malware. The vulnerability was discovered by Mathy Vanhoef and Frank Piessens at KU Leuven and announced by US-CERT Monday.
The KRACK (key reinstallation attack) isn't a problem with the encryption itself, but rather in the "handshake process" and the way the device connects to the access point. The attack works by leveraging the four-way handshake that is part of the WPA2 protocol process, which allows users to connect to a network and then confirm their credentials for access. This process is used by all modern Wi-Fi networks. The key reinstallation attack leverages this process by forcing the reset of the incremental transmit packet number (nonce) to zero, which allows for the same encryption key to be used with previous nonce values. This allows for attackers to replay, decrypt or forge packets.
The researchers said the vulnerability affects devices running Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others in some variant. It said the vulnerability is "especially catastrophic" against version 2.4 and above of the wpa_supplicant, which is common on Linux and Android 6.0 and above.
"If your device supports Wi-Fi, it is most likely affected," a blog post on the vulnerability said.
The researchers said they weren't sure if the vulnerability has yet been exploited in the wild.
Michael Knight, president and CTO of Greenville, S.C.-based Encore Technology Group, said the KRACK vulnerability is going to be a "very big issue," both for businesses and residential users. While he said the attack is limited by hackers needing to be physically present to exploit the vulnerability, he said the widespread nature of the WPA2 protocol process and manual patching needed by many businesses and users will likely make it a security challenge that persists for quite some time.
"It's going to be very widespread and it will take awhile to get everything patched. This isn't something where you can easily push an update out. … That’s a huge problem," Knight said.
The researchers said the vulnerability can be patched in a backwards-compatible manner, so they urged all users to update their devices and router firmware as soon as security updates are made available.The also said changing a Wi-Fi password will not prevent an attack, and users should not revert to WEP until devices are patched and should continue to use WPA2 protocols.
Knight said manufacturers seem to be quick to respond, with some already rolling out patches, but he said the challenge comes as those with autonomous access points who will need to update all devices individually. He said businesses will likely be quick to respond but home users who historically never patch will likely drag out the vulnerability's effectiveness.
Encore Technology Group has already started formulating communications to send out to its customers about the issue, Knight said. The company is being careful to not just say "everything isn't secure" but create the foundation for a conversation around security and the importance of patching this issue, he added.