You can be on Entrepreneur’s cover!

Severe Wi-Fi Security Flaw Puts Millions of Devices at Risk 'Krack Attack' allows hackers to steal credit cards, bank info and more.

By Steve Dent

entrepreneur daily

This story originally appeared on Engadget

Shutterstock

Researchers have discovered a key flaw in the WPA2 Wi-Fi encryption protocol that could allow hackers to intercept your credit card numbers, passwords, photos and other sensitive information. The flaws, dubbed "Key Reinstallation Attacks," or "Krack Attacks," are in the Wi-Fi standard and not specific products. That means that just about every router, smartphone and PC out there could be impacted, though attacks against Linux and Android 6.0 or greater devices may be "particularly devastating," according to KU Leuven University's Mathy Vanhoef and Frank Piessens, who found the flaw.

Here's how it works. Attackers find a vulnerable WPA2 network, then make a carbon copy of it and impersonate the MAC address, then change the Wi-Fi channel. This new, fake network acts as a "man in the middle," so when a device attempts to connect to the original network, it can be forced to bypass it and connect to the rogue one.

Normally, WPA2 encryption requires a unique key to encrypt each block of plain text. However, the hack described in the Krack Attack paper forces certain implementations of WPA2 to reuse the same key combination multiple times.

The problem is made worse by Android and Linux, which, thanks to a bug in the WPA2 standard, don't force the client to demand a unique encryption key each time. Rather, they allow a key to be cleared and replaced by an "all-zero encryption key," foiling a key part of the handshake process. In some cases, a script can also force a connection to bypass HTTPS, exposing usernames, passwords and other critical data.

The system takes advantage of a flaw in the "handshake" method to direct users to the malicious network. Neither Wi-Fi passwords nor secret keys can be obtained, the researchers say, as the hack works by forging the entire network. As such, it can't be used to attack routers, but hackers can still eavesdrop on traffic, making it particularly dangerous for corporations.

As shown above, the researchers did a proof-of-concept attack on Android, and were able to decrypt all the victim's transmitted data. They point out that this will "not work on a properly configured HTTPS site," but will work on a "significant fraction" that are poorly set up. Other devices, like those running MacOS, Windows, OpenBSD and other operating systems, are affected to a lesser extent. "When attacking other devices, it is harder to decrypt all packets, although a large number of packets can nevertheless be decrypted," say the researchers.

After earlier, more limited hacks, the WPA2 protocol has been suspect for a while, so many security folks were already bracing themselves for something bad. If you still doubt the seriousness of it, Alex Hudson, for one, is actually advising Android users to "turn off Wi-Fi on these devices until fixes are applied." He adds that "you can think of this a little bit like your firewall being defeated."

As such, you can protect yourself to a great extent by sticking with sites that have solid, proven HTTPS security. And of course, the attack won't work unless the attacker is nearby and can physically access your network.

The problem should be relatively easy to fix. A firmware change can force routers to require a dedicated certificate for each handshake, instead of relying on the one already generated. And, as the security researchers who discovered it say, "implementations can be patched in a backwards-compatible manner."

That means if you patch your Android device and not your router, you can still communicate and be safe, and vice-versa. Nevertheless, they also advise to patch all your devices as soon as security updates are available. For more details about the hack, check this very detailed FAQ from Aruba Networks.

Want to be an Entrepreneur Leadership Network contributor? Apply now to join.

Editor's Pick

Business Ideas

63 Small Business Ideas to Start in 2024

We put together a list of the best, most profitable small business ideas for entrepreneurs to pursue in 2024.

Business Solutions

Grab Microsoft Project Professional 2021 for $20 During This Flash Sale

This small investment is well worth the time it will save your team in organizing and monitoring project work.

Business News

Microsoft's New AI Can Make Photographs Sing and Talk — and It Already Has the Mona Lisa Lip-Syncing

The VASA-1 AI model was not trained on the Mona Lisa but could animate it anyway.

Business News

James Clear Explains Why the 'Two Minute Rule' Is the Key to Long-Term Habit Building

The hardest step is usually the first one, he says. So make it short.

Data & Recovery

This File Backup Tool Subscription Is $25 for Life for One Week Only

AOEMI Backupper Professional is designed to protect, store, and transfer user's files for them.