The WPA2 encryption your Wi-Fi basestation uses isn’t as secure as you thought. Security researcher Mathy Vanhoef revealed a flaw that makes any WPA2 encrypted data on a WiFi network hackable, regardless of what operating system you use.
The flaw, called Key Reinstallation attack (KRACK) takes advantage of a flaw in the WPA2 standard that lets an attacker decrypt the data flowing through the wireless network. Vanhoef said in his research,
The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected. To prevent the attack, users must update affected products as soon as security updates become available. Note that if your device supports Wi-Fi, it is most likely affected. During our initial research, we discovered ourselves that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others, are all affected by some variant of the attacks.
Linux and Android are especially easy to hack—but before the schadenfreude sets in, Apple products are hackable, too. That means at least some data previously considered secure on WiFi networks should be considered vulnerable.
Patching WiFi’s KRACK
KRACK makes the prospect of using any WiFi network sound like a horribly bad idea, but there is some hope for a more secure wireless future. First, KRACK is still a proof of concept and hasn’t been seen as a real exploit outside of the lab.
Second, data that’s encrypted by other means, including VPN services, isn’t impacted by KRACK. The flaw affects just the WPA2 encrypted data on the wireless network.
Finally, the flaw can be patched. Device makers are being alerted to the security flaw so they can develop and release software fixes. Since the issue can be addressed through software, any device supporting updates should be patchable.
In other words, expect to see security updates for iOS and macOS, as well as the AirPort product line.
CERT is tracking the vulnerability status for many WiFi device makers, although right now many vendors are still listed as “unknown.”
For now, it’s a good idea to treat every WiFi network as vulnerable. Stay away from wireless networks you don’t know, and practice good network safety, like using a VPN.