19 Oct'17

Researchers find security vulnerability when users connect to WiFi


Two Belgium researchers, Mathy Vanhoef and Frank Piessens, found a weakness ‘in WPA2, a protocol that secures all modern protected Wi-Fi networks.’ The findings are detailed on the website krackattacks.


The weakness is in the ‘four-way handshake’. Arstechnica describe this as the process of when a client ‘joins a WPA2-protected Wi-Fi’ which confirms that the user and access points have the ‘correct credentials’. Attackers trick the user ‘into reinstalling an already-in-use key.’ This reinstallation allows the ‘encryption to be bypassed’.


Vanhoef and Piessens stated that ‘key reinstallation attacks’ (KRACKs) means private information (such as credit card numbers, passwords and emails) can be stolen. The researchers also warn that it is possible for an attacker to manipulate data by inserting malware into websites. An attacker can only steal data when within range of a victim.


In the report the key messages that have been highlighted are: ‘attack works against all modern protected Wi-Fi networks’ and ‘if your device supports Wi-Fi, it is more likely affected’.


The advice to users is to downloads updates as soon as they become available to prevent an attack.


Speaking to Popular Science, Apple have said that fixes for this vulnerability will be available to consumers via updates in the next few weeks for iOS, macOS, watchOS, and tvOS.


Popular Science also quote Karen Sohl (Belkin’s Communication Director) and Candid Wueest (Threat Research at Sumantec) with advice for users.


Sohl states that they will post instructions on their ‘security advisory page on what customers can do to update their products, if and when required’.


Wueest says that although this is ‘a serious vulnerability’, people should not panic.


This research will be presented at the Computer and Communications Security conference on Wednesday 1st November.


Read the complete research paper here.



Secure Data – Cyber Security by Blue Coat Photos on Flickr. Licensed by CC BY-SA 2.0. Adapted from orginal by removing the two top icons