You are here: Home » International » News » Others
Business Standard

US warns of security flaw KRACK that can compromise Wi-Fi

The flaw was dubbed KRACK for Key Reinstallation AttaCK because it allows attackers to insert a new "key" on a Wi-Fi connection that keeps data private

AFP | PTI  |  Washington 

Representative image
Representative image

The government's computer security watchdog warned on Friday of a in encryption protocol which can open the door to attacks to eavesdrop on or hijack devices using

The disclosure by the government's Computer Emergency Response Team could potentially allow hackers to snoop on or take over millions of devices which use


The agency, part of the Department of Homeland Security, said the flaw was discovered by researchers at the Belgian university KU Leuven.

According to the news site Ars Technica, the discovery was a closely guarded secret for weeks to allow systems to develop security patches.

Attackers can exploit the flaw in WPA2 -- the name for the encryption protocol -- "to read information that was previously assumed to be safely encrypted," said a blog post by KU Leuven researchers.

"This can be abused to steal sensitive information such as numbers, passwords, chat messages, emails, photos, and so on. The attack works against all modern protected networks.

"Depending on the network configuration, it is also possible to inject and manipulate For example, an attacker might be able to inject or other into websites."

The flaw was dubbed for Key Reinstallation AttaCK because it allows attackers to insert a new "key" on a connection that keeps private.

Security researchers said the newly discovered flaw was serious because of the ubiquity of and the difficulty in patching millions of access points.

"Wow. Everyone needs to be afraid," said Rob Graham of Errata Security in a blog post.

"It means in practice, attackers can decrypt a lot of traffic, with varying levels of difficulty depending on your precise network setup."

The Alliance, an industry group which sets standards for wireless connections, said computer users should not panic.

"There is no evidence that the vulnerability has been exploited maliciously, and Alliance has taken immediate steps to ensure users can continue to count on to deliver strong security protections," the group said in a statement.

"Alliance now requires testing for this vulnerability within our global certification lab network and has provided a vulnerability detection tool for use by any Alliance member.

First Published: Mon, October 16 2017. 23:31 IST
RECOMMENDED FOR YOU