Spark issues alert over major global Wi-Fi hack

Since the loophole is at the very basic level - the Wi-Fi standard itself - another cybersecurity expert Jiten Jain says users will have to wait for a firmware update for their routers and other devices.

In a proof-of-concept paper released today and scheduled to be presented at a security conference next month, Catholic University of Leuven researchers Mathy Vanhoef and Frank Piessens described how flaws in Wi-Fi security protocols could be exploited by tricking a targeted wireless device into reinstalling a cryptographic key that's already in use. In more risky cases, hackers might be able to "take over" your Wi-Fi connection and add malware to otherwise safe sites, Mashable explained.

The United States Computer Emergency Readiness Team has issued a warning about a new attack that affects Wi-Fi networks using the commonly-used WPA2 protocol. The attack, however, is "exceptionally devastating" for devices that run Android 6.0, Vanhoef found. Google did not respond to a request for comment. Not having one puts you at risk for all sorts of attacks. The security flaw could leave millions of networks and devices prone to attacks. What follows is a short rundown on what exactly is at stake here, who's most at-risk from this vulnerability, and what organizations and individuals can do about it.

Spark is speaking with a number of device manufacturers to find out when patches will be available for installation that would update software in response to the breach. Many of them have begun preparing patches for their systems, and some have already been released.

We are not aware of any Spark customers who have been compromised by the vulnerability to date. The Consumerist, which notes that "basically every device on earth" is affected, says users should also install security updates on any connected devices as soon as prompted.

Apple did not immediately respond to a request for comment, but Vanhoef noted that iOS and Windows devices were not the most vulnerable to the exploit.

"Wi-Fi Alliance now requires testing for this vulnerability within our global certification lab network and has provided a vulnerability detection tool for use by any Wi-Fi Alliance member". "To fully address potential vulnerabilities, you are also encouraged to contact your Wi-Fi hardware vendor to obtain updated device drivers". Fast-forward to today, and you'll find the secret revealed as KRACK-that's Key Reinstallation Attack-which enables "breaking [of] WPA2 by forcing nonce reuse". For the time being, the safest thing to do is to avoid using Wi-Fi on your phone if at all possible. After all, if you're sharing a public Wi-Fi network with tens or hundreds of other strangers, you're likely more vulnerable than you are in the privacy of your home.

At some point, the real AP will send another copy of message 3, possibly several times, until the rogue AP finally lets the message get through to the client. They are also advised to stop logging into websites or URLs that don't start with HTTPS.

This padlock will appear on all HTTPS sites.

"Attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted", Vanhoef wrote.

Vanessa Coleman

Comments