ODU Researcher Explains Wi-Fi Security Flaw
October 25, 2017
By Jon Cawley
Add Wi-Fi to the long, and growing, list of essential digital devices that have been compromised by hackers sending consumers and security experts into a frenzy to understand and mitigate the damage.
The Wi-Fi vulnerability was recently reported by Mathy Vanhoef, a postdoctoral researcher at Belgium's Katholieke Universiteit Leuven. He discovered a serious weakness in WPA2, the standard security protocol widely used by most every Wi-Fi network.
Vanhoef determined that, due to an implementation flaw, a "man-in-the-middle" approach can be used to initiate Key Reinstallation Attacks, which are also known as KRACK.
Michael Wu, director of Old Dominion University's Cyber Security Research Center, said the vulnerability gives hackers the ability to crack Wi-Fi networks and decrypt packets sent by users.
"This would allow them to bypass the security protocol and turn the network into an unprotected system, and accordingly intercept all sensitive user information, including their passwords when they login to their bank accounts," Wu said.
Wi-Fi attacks are not new, Wu said, and his students study how they take place, but previous attacks against the WPA2 protocol involved password guessing. The new vulnerability is significant because it is the first attack that doesn't rely on guesswork, making it a quicker operation.
So, what can consumers do?
Wu said the vulnerability affects a wide range of Wi-Fi devices, including laptops, mobile phones and wireless routers.
"The good news is that the venders are quickly responding to the newfound vulnerability by putting together patches for the bug," he said. "The bad news is that there are so many variety of Wi-Fi devices from many different vendors. It takes time for all of them to have their patches in place and to get them installed on devices — especially for various Android devices."
Users should prioritize devices and make sure to first install patches on the most important ones.
But there's no reason to panic, even if a Wi-Fi device is unpatched, Wu said, just be careful.
He noted that to initiate an attack, a hacker must be in the range of the Wi-Fi network in order to capture wireless packets. Wu said that means that an in-home Wi-Fi network is less vulnerable, than a public one, because the odds are relatively low. However, try to avoid using public Wi-Fi networks before they are patched, since it is more likely that there is an attacker waiting there for victims, he said.
What can the industry do?
"This is just another example of flawed implementation of security algorithms and protocols," Wu said. "The development of future communications standards should be made more open to the security research community. Close collaboration with security experts in early stages of standardization would help mitigate such problems."