Microsoft, Apple fix KRACK Wi-Fi security exploit; Google working on patch

Hack

Wi-Fi networks across the world are at high risk of getting hacked right now thanks to newly discovered vulnerabilities in WPA2 (Wi-Fi Protected Access II). The security protocol is present in nearly every Wi-Fi supported device on the planet, so everything from laptops to phones could be attacked.

A team of security researchers published their findings on a dedicated website called ‘krackattacks,’ named after the proof-of-concept attack called KRACK (Key Reinstallation Attacks). Security researcher Mathy Vanhoef was at the forefront of discovering the holes in WPA2, finding 10 in all.

KRACK requires the hacker to be in range of a target’s Wi-Fi, so it can’t be done remotely. This reduces the risk of getting attacked to a certain extent, but the network is still vulnerable. The method manipulates the 4-way handshake used between a router and a device to create an encryption key, intercepting the third step to force its way between the victim and the router.

Also Read: Millions of users infected after hackers hide backdoor in CCleaner

From there, the hacker can spy on incoming and outgoing internet traffic and infect websites with malware or ransomware. Any kind of information passed through the internet is at risk including emails, passwords, and credit/debit card numbers. Researchers found that Android, Apple, Linux. OpenBSD, Linksys, Windows, and MediaTek were all open to KRACK attacks.

The only way to safeguard from KRACK is to update the affected products as soon as upgrades become available. Microsoft says that it released a security fix on October 10, so anyone on the latest version of Windows 10 will be protected. Even Apple has included a patch in the beta version of iOS, macOS, tvOS, and watchOS.

These will be rolled out soon. As for Google, it’s promised to beam out an update in the coming weeks starting with the Pixel series on November 6. Android and Linux devices are especially vulnerable to KRACK since both can be tricked into reinstalling an all-zero encryption key. Compounding the problem is the fact that Android products don’t usually get regular updates from manufacturers.