Reports have emerged that the popular WPA2 Wi-Fi encryption protocol was fundamentally flawed, and could allow an attacker to intercept and read traffic sent across a wireless network. Now, details are emerging about the scale and severity of the problem.
Boom! there goes another issue we have to deal with now.
The attack – known as a key retransmission attack (or KRACK) – sees a malicious actor trick a victim into using a compromised encryption key. Troublingly, Linux and Android-based users are most at risk. According to Matty Vanhoef, who uncovered the issue, 41 percent of Android devices vulnerable to an “exceptionally devastating” variant of the WPA2 attack, which makes it “exceptionally trivial” to manipulate and intercept traffic.
Showing the broadth of the issue, Vanhoef named names, saying “During our initial research, we discovered ourselves that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others, are all affected by some variant of the attacks.”
Good morning.
Wi-Fi is literally fucked. https://t.co/Kxpp8llW0z pic.twitter.com/p5eVK89dQz
— Internet of Shit (@internetofshit) October 16, 2017
It’s hard to convey quite how bad this is.
On a practical level, it means an attacker can intercept traffic between devices and a router, allowing them to peek inside all non-SSL traffic. They can also interfere with traffic, theoretically allowing an individual to inject ransomware and malware into unencrypted web pages in an ad-hoc basis.
Vanhoef mentions that the issue can be resolved with a backwards-compatible software patch. This should arrive soon, as he notified vendors in July, with a broader notification issued in August.
That’s good, but it’s worth remembering that there are a staggering number of devices (I would’t be surprised if it measured in the billions) affected. Not just phones and laptops, but also embedded systems, like routers, printers, and other Wi-Fi-enabled IoT devices, which aren’t as straightforward to update.
Happy Monday, every device connected to Wi-FI on the planet is leaking your data. pic.twitter.com/qH362HuKu4
— Internet of Shit (@internetofshit) October 16, 2017
And ultimately, people tend to be bad at patching things. Even in 2017, it’s not uncommon to hear echoes of servers still connected to the Internet that are vulnerable to Heartbleed and Shellshock.
It’s also often the case that users aren’t presented the option to patch their devices. Android users are most at risk of this vulnerability. And yet, the Android landscape is notorious for its fractured nature, with manufacturers issuing software updates and security patches at an excruciatingly slow pace. That is, if they bother at all.