Wi-Fi security flaw KRACK puts all wireless devices at risk

The weakness was found in the WPA2 security protocol used by almost every modern phone, computer and router.

Katie Collins Senior European Correspondent
Katie a UK-based news reporter and features writer. Officially, she is CNET's European correspondent, covering tech policy and Big Tech in the EU and UK. Unofficially, she serves as CNET's Taylor Swift correspondent. You can also find her writing about tech for good, ethics and human rights, the climate crisis, robots, travel and digital culture. She was once described a "living synth" by London's Evening Standard for having a microchip injected into her hand.
Katie Collins
2 min read
My Point Of View

The bug already has its own nickname: KRACK

Bill Hinton#74239

You use Wi-Fi every day -- you may even be on it right this very moment -- and that means the device you're using is at serious risk of being hijacked.

Researchers have discovered a flaw in the security protocol that's a fixture in almost every modern Wi-Fi device, including computers, phones and routers, reported ZDNet on Monday.

A weakness in the WPA2 protocol, meant to protect both wireless networks and devices, was discovered by computer security academic Mathy Vanhoef, and is being nicknamed "KRACK," short for Key Reinstallation Attack.

The bug ultimately could allow hackers to eavesdrop on network traffic -- bad news for anyone sending sensitive or private information over a Wi-Fi connection. These days, that's pretty much all of us, although this could hit businesses using wireless point-of-sale machines particularly hard.

Watch this: Wi-Fi has a big security flaw - and you need to act now

It's yet another weak spot in the wireless connections now woven into the fabric of daily life. Just last month, for instance, a security company flagged a flaw that could let malware hit more than 5 billion devices via their Bluetooth connections.

And it comes on top of a seemingly endless string of bad news in general about security vulnerabilities, whether still in a potential state or actually exploited by hackers. In May and June, ransomware attacks locked up computers around the world, demanding payment from people and companies in return for renewed access to vital information and systems. More recently came the hack at Equifax, which compromised the person details of 145 million Americans, and the latest shoe to drop in the matter of Yahoo's massive hack, which hit a breathtaking 3 billion accounts.

In the case of KRACK, hackers would have to be within physical range of a vulnerable device to take advantage of the flaw, but if they're in the right spot, they could use it to decrypt network traffic, hijack connections and inject content into the traffic stream.

To do so would involve effectively impersonating a user who had already been granted access to the network so as to exploit a weakness in the secure four-way handshake that acts as its gatekeeper.

"All Wi-Fi clients we tested were vulnerable" to an attack on that handshake, Vanhoef wrote.

For more on KRACK, what it means for businesses and what to do about it, head over to our sister site ZDNet.

Tech Enabled: CNET chronicles tech's role in providing new kinds of accessibility.

Logging Out: Welcome to the crossroads of online life and the afterlife.