A researcher at the Catholic University of Leuven in Belgium, Mathy Vanhoef has discovered ‘KRACK Attack,’ a way to crack WPA2 in Wi-Fi routers. Before you ask, WPA2 is a 13-year old security protocol used in nearly all the Wi-Fi routers around the globe.
WPA2’s role is to prevent hackers from snooping into the connected device, let it be a smartphone, tablet or a PC. Vanhoef has posted details on his website about this attack, which is termed as ‘KRACK Attack’ or Key Reinstallation Attack.
Cracking the security protocol of the Wi-Fi router means that Vanhoef has found a way to hack almost any router, and by extension, the devices connected to it. This indeed means millions of smartphones and PCs.
KRACK Attack does not take place over the internet. It requires the hacker physically present within the Wi-Fi router’s range. The researcher says that the attack can result in hackers eavesdropping between the Wi-Fi router and the connected device, collecting data.
Executing the attack can give hackers an access to data on devices regardless how secure their OSes are. The attack works successfully on Windows, Mac, iOS, Linux and Android. Vanhoef adds that Android 6.0 Marshmallow and Linux 2.4, and their later versions are the most vulnerable.
So how does KRACK Attack work?
While the details posted by Vanhoef on krackattacks.com website is too technical for most of us. Tom’s Guide has explained it as easily as possible.
When you connect your smartphone (for instance) with a Wi-Fi router, the router transmits a one-time key to the device. The key is unique to that device and the connection. This prevents any other device connected to the same Wi-Fi router from interfering between the first device and the router.
However, when the router sends a one-time key to the client device (the smartphone in this case) and the device does not respond or acknowledge it, the router can send the key two more times. Here is when the hacker within the router’s range comes in.
Since the router can send the one-time key thrice, the hacker can break in between and capture the one-time key. Using the vulnerability, the hacker can also force the client device to connect to hacker’s bogus Wi-Fi network. This process will let the hacker decrypt information passing between the client device and the Wi-Fi router.
What information is at stake?
Pretty much everything that lies inside the connected device is exposed. This can include anything from emails, plain texts, passwords, credit card details, bank account login details, contact numbers, messages and more. In addition to this, the attacker can also inject malware on the client device.
What the attacker cannot access
The attacker will, however, not be able to read what HTTPS websites you are logging in to as they have their own encryption in place. This is only for those websites that have a proper implementation of HTTPS web encryption.
What can you do?
Your smartphone or connected PC is not likely to be attacked anytime soon. But even if it does get KRACK Attack-ed there is not much you can do at this point. Vanhoef on his website says that WPA2 is not where the flaw is, its the security protocol’s implementation. You don’t need to change the password or the router as it won’t make much difference. You can however, wait for the router manufacturer to roll out security updates with a fix.