A flaw in the WPA2 security protocol that protects Wi-Fi networks has been discovered.
It could allow hackers to eavesdrop on any devices connected to Wi-Fi.
Operating systems such as Google’s Android, Apple’s iOS and Microsoft’s Windows could all be affected.
The security layer that protects Wi-Fi networks has been cracked by hackers, potentially allowing them to listen to your communications on devices connected to the internet, research published Monday revealed.
WPA2 is a security protocol that protects modern Wi-Fi networks. Hackers have found a way to manipulate the cryptographic elements behind the security, according to Mathy Vanhoef of KU Leuven, a university in Belgium.
The issue is with the security standard itself rather than individual devices, but it can affect those devices that are connected to a Wi-Fi network.
Vanhoef found that operating systems such as Google’s Android, Apple’s iOS and Microsoft’s Windows could all be affected.
So how does it work?
The WPA2 protocol works using a so-called “four-way handshake.” The initial part of the handshake takes place when a user puts in the correct password to access a Wi-Fi network. The next step is when a new encryption key is generated to encrypt subsequent traffic.
Hackers are able to manipulate this process through what is known as a key reinstallation attack (KRACK).
“This is achieved by manipulating and replaying cryptographic handshake messages,” the researchers wrote.
The research paper does, however, state that an attacker must be within range of a victim.
Who could be affected?
Any device connected to a Wi-Fi network could be affected. But the researchers said that the flaw could be “catastrophic” to a certain version of Linux and “exceptionally devastating” to devices running Android 6.0 and above. Half of the Android devices in circulation are running this version, according to data from Google.
Vanhoef said that he is not sure if this flaw is being exploited currently.
The researcher said vendors of products that were affected were notified around July 14. Vanhoef then disclosed the vulnerability to the United States Computer Emergency Readiness Team (CERT), which sent out a notification to vendors on Aug. 28.
What should I do now?
Vanhoef said there is no need to change your Wi-Fi password. Instead, it’s important to make sure all devices and the firmware of your router are updated.
The researcher also said that people should continue using the WPA2 protocol.
An alert from the U.S. Department of Homeland Security Computer Emergency Response Team recommended installing vendor updates on affected products, such as routers provided by Cisco Systems or Juniper Networks.
Microsoft told The Verge that it has released a security update to address the issue, and a Google spokesperson tweeted that Android devices with a security patch level of Nov. 6, 2017, or later are protected. Apple confirmed that it has a fix, currently in beta mode, and the software will be coming to everyone soon.