Wi-fi Security Flaw 'puts Devices At Risk Of Hacks'
The wi-fi connections of businesses and homes around the world are at risk, according to researchers who have revealed a major flaw dubbed Krack.
It concerns an authentication system which is widely used to secure wireless connections.
Experts said it could leave "the majority" of connections at risk until they are patched.
The researchers added the attack method was "exceptionally devastating" for Android 6.0.
The US Computer Emergency Readiness Team (Cert) has issued a warning on the flaw.
"US-Cert has become aware of several key management vulnerabilities in the four-way handshake of wi-fi protected access II (WPA2) security protocol," it said.
"Most or all correct implementations of the standard will be affected."
Computer security expert from the University of Surrey Prof Alan Woodward said: "This is a flaw in the standard, so potentially there is a high risk to every single wi-fi connection out there, corporate and domestic.
"The risk will depend on a number of factors including the time it takes to launch an attack and whether you need to be connected to the network to launch one, but the paper suggests that an attack is relatively easy to launch.
"It will leave the majority of wi-fi connections at risk until vendors of routers can issue patches."
Security handshake
The vulnerability was discovered by researchers led by Mathy Vanhoef, from Belgian university, KU Leuven.
According to his paper, the issue centres around a system of random number generation known as Nonce (a number that can only be used once), which can in fact be reused to allow an attacker to enter a network and snoop on the data being sent in it.
"All protected wi-fi networks use the four-way handshake to generate a fresh session key and so far this 14-year-old handshake has remained free from attacks, he writes in the paper describing Krack (key reinstallation attacks).
"Every wi-fi device is vulnerable to some variants of our attacks. Our attack is exceptionally devastating against Android 6.0: it forces the client into using a predictable all-zero encryption key."
More details can be found at this website.
Krack explained
Prof Alan Woodward explained the issue to the BBC.
When any device uses wi-fi to connect to, say, a router it does what is known as a "handshake": it goes through a four-step dialogue, whereby the two devices agree a key to use to secure the data being passed (a "session key").
This attack begins by tricking a victim into reinstalling the live key by replaying a modified version of the original handshake. In doing this a number of important set-up values can be reset which can, for example, render certain elements of the encryption much weaker.
This attacks appears to work on all wi-fis tested - prior to the patches currently being issued.
In some it is possible to decrypt and inject data, enabling an attacker to hijack a connection. In others it is even worse as it is possible to forge a connection, which, as the researchers note, is "catastrophic".
The people this could be most problematic for are the internet service providers who have millions of routers in customers' homes. How will they make sure all of them are secure?
From Chip War To Cloud War: The Next Frontier In Global Tech Competition
The global chip war, characterized by intense competition among nations and corporations for supremacy in semiconductor ... Read more
The High Stakes Of Tech Regulation: Security Risks And Market Dynamics
The influence of tech giants in the global economy continues to grow, raising crucial questions about how to balance sec... Read more
The Tyranny Of Instagram Interiors: Why It's Time To Break Free From Algorithm-Driven Aesthetics
Instagram has become a dominant force in shaping interior design trends, offering a seemingly endless stream of inspirat... Read more
The Data Crunch In AI: Strategies For Sustainability
Exploring solutions to the imminent exhaustion of internet data for AI training.As the artificial intelligence (AI) indu... Read more
Google Abandons Four-Year Effort To Remove Cookies From Chrome Browser
After four years of dedicated effort, Google has decided to abandon its plan to remove third-party cookies from its Chro... Read more
LinkedIn Embraces AI And Gamification To Drive User Engagement And Revenue
In an effort to tackle slowing revenue growth and enhance user engagement, LinkedIn is turning to artificial intelligenc... Read more