The wi-fi connections of businesses and homes around the world are at risk, according to researchers who have revealed a major flaw dubbed Krack.
It concerns an authentication system which is widely used to secure wireless connections.
Experts said it could leave “the majority” of connections at risk until they are patched.
The researchers added the attack method was “exceptionally devastating” for Android 6.0 or above and Linux.
A Google spokesperson said: “We’re aware of the issue, and we will be patching any affected devices in the coming weeks.”
The US Computer Emergency Readiness Team (Cert) has issued a warning on the flaw.
“US-Cert has become aware of several key management vulnerabilities in the four-way handshake of wi-fi protected access II (WPA2) security protocol,” it said.
“Most or all correct implementations of the standard will be affected.”
Computer security expert from the University of Surrey Prof Alan Woodward said: “This is a flaw in the standard, so potentially there is a high risk to every single wi-fi connection out there, corporate and domestic.
“The risk will depend on a number of factors including the time it takes to launch an attack and whether you need to be connected to the network to launch one, but the paper suggests that an attack is relatively easy to launch.
“It will leave the majority of wi-fi connections at risk until vendors of routers can issue patches.”
The vulnerability was discovered by researchers led by Mathy Vanhoef, from Belgian university, KU Leuven.
According to his paper, the issue centres around a system of random number generation known as a nonce (a number that can only be used once), which can, in fact, be reused to allow an attacker to enter a network and snoop on the data being sent in it.
“All protected wi-fi networks use the four-way handshake to generate a fresh session key and so far this 14-year-old handshake has remained free from attacks, he writes in the paper describing Krack (key reinstallation attacks).
“Every wi-fi device is vulnerable to some variants of our attacks. Our attack is exceptionally devastating against Android 6.0: it forces the client into using a predictable all-zero encryption key.”
Dr Steven Murdoch from University College, London said there were two mitigating factors to what he agreed was a “huge vulnerability”.
“The attacker has to be physically nearby and if there is encryption on the web browser, it is harder to exploit.”
Equities March 24, 2020