For a long time now, the fear of getting hacked has ruled among the masses. In fact, Americans are more afraid of hackers stealing their credit card information than becoming victims of a murder or any type of assault. Unfortunately, this fear is still quite real and present, especially after the recently revealed Wi-Fi vulnerabilities that break our safety online.
According to security researchers, the global standard for wireless internet connection appears to have been hacked, which compromises the privacy of personal information worldwide. This weakness in WPA2 was discovered by Mathy Vanhoef from Belgium’s KU Leuven University stating that: “The attack works against all modern protected Wi-Fi networks.”
To make matters worse, any type of digital device that supports a Wi-Fi connection is likely to be compromised, which means no one is actually protected from cyber-crimes. Hackers can easily exploit this vulnerability commonly known as “key reinstallation attack” (KRACK), and use information that was believed to be encrypted.
That said, it’s not just our sensitive data that are at stake. With a compromised network, hackers can also intercept passwords, emails, take over devices and insert ransomware or any malicious content onto our systems. As Mathy explains: “This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on.”
Vanhoef provided a video as well, showing the attacks against a device running on the Android mobile operating system. The YouTube video showcases a clear attack and data decryption that a mobile phone sends to the access point. This type of hacking works by forcing the smartphone into reinstalling an all-zero encryption key as opposed to the real and already existing one.
While Linux is particularly vulnerable to these attacks, the researchers state: “Although websites or apps may use HTTPS as an additional layer of protection, we warn that this extra protection can (still) be bypassed in a worrying number of situations. For example, HTTPS was previously bypassed in non-browser software, in Apple’s iOS and OS X, in Android apps, in Android apps again, in banking apps, and even in VPN apps.”
On a somewhat positive note, this hack can’t be performed online. The hacker who tries to take advantage of this loophole in the system needs to do it locally and within the range of the wireless network they are intending to breach. The hacking only works by deceiving a WPA2 security layer called the four-way handshake, which provides access to the Wi-Fi network if the device has the correct credentials.
Mathy claims the encryption key should be only installed and used once in order to guarantee safety, but unfortunately this can’t protect the WPA2 protocol. “By manipulating cryptographic handshakes, we can abuse this weakness in practice.”
The good news is the code that allows this attacks to occur was not released to the public. Therefore, the hackers still don’t have the upper hand, because they don’t have a complete knowledge of how it works.
On the other hand, we are obviously not safe from the risks or possible future attacks. But before it happens, Vanhoef encourages technology companies and all people to patch their systems with some of the already available remedies, because “changing the password of your Wi-Fi network does not prevent (or mitigate) the attack.” Mathy continues to explain that we need to make sure our devices, as well as our router’s firmware are regularly updated.
While tech companies such as Google and Apple promise security updates to fix the cracked Wi-Fi protocol, the ongoing threat poses a huge concern for the industry that depends on IoT (internet of Things) devices. In addition, let’s not forget about the dangers to home safety due to Wi-Fi enabled security cameras.
In the words of Alan Woodward from the University of Surrey’s Center for Cyber Security: “It seems to affect all Wi-Fi networks, it’s a fundamental flaw in the underlying protocol, even if you’ve done everything right [your security] is broken.”
Until we get more information and productive solutions, you can check out the research paper on Key Reinstallation Attack online. Remember to pay attention to vulnerable Wi-Fi access points and choose the VPN providers carefully, since many services can’t promise user security.