 "US warns of security flaw KRACK that can compromise Wi-Fi")
The US government's computer security watchdog warned on Friday of a security flaw in Wi-Fi encryption protocol which can open the door to attacks to eavesdrop on or hijack devices using wireless networks.
The disclosure by the government's Computer Emergency Response Team could potentially allow hackers to snoop on or take over millions of devices which use Wi-Fi.
The agency, part of the Department of Homeland Security, said the flaw was discovered by researchers at the Belgian university KU Leuven.
According to the news site Ars Technica, the discovery was a closely guarded secret for weeks to allow Wi-Fi systems to develop security patches.
Attackers can exploit the flaw in WPA2 -- the name for the encryption protocol -- "to read information that was previously assumed to be safely encrypted," said a blog post by KU Leuven researchers.
"This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. The attack works against all modern protected Wi-Fi networks.
"Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites."
The flaw was dubbed KRACK for Key Reinstallation AttaCK because it allows attackers to insert a new "key" on a Wi-Fi connection that keeps data private.
Security researchers said the newly discovered flaw was serious because of the ubiquity of Wi-Fi and the difficulty in patching millions of access points.
"Wow. Everyone needs to be afraid," said Rob Graham of Errata Security in a blog post.
"It means in practice, attackers can decrypt a lot of Wi-Fi traffic, with varying levels of difficulty depending on your precise network setup."
The Wi-Fi Alliance, an industry group which sets standards for wireless connections, said computer users should not panic.
"There is no evidence that the vulnerability has been exploited maliciously, and Wi-Fi Alliance has taken immediate steps to ensure users can continue to count on Wi-Fi to deliver strong security protections," the group said in a statement.
"Wi-Fi Alliance now requires testing for this vulnerability within our global certification lab network and has provided a vulnerability detection tool for use by any Wi-Fi Alliance member.
The disclosure by the government's Computer Emergency Response Team could potentially allow hackers to snoop on or take over millions of devices which use Wi-Fi.
The agency, part of the Department of Homeland Security, said the flaw was discovered by researchers at the Belgian university KU Leuven.
Also Read
Attackers can exploit the flaw in WPA2 -- the name for the encryption protocol -- "to read information that was previously assumed to be safely encrypted," said a blog post by KU Leuven researchers.
"This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. The attack works against all modern protected Wi-Fi networks.
"Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites."
The flaw was dubbed KRACK for Key Reinstallation AttaCK because it allows attackers to insert a new "key" on a Wi-Fi connection that keeps data private.
Security researchers said the newly discovered flaw was serious because of the ubiquity of Wi-Fi and the difficulty in patching millions of access points.
"Wow. Everyone needs to be afraid," said Rob Graham of Errata Security in a blog post.
"It means in practice, attackers can decrypt a lot of Wi-Fi traffic, with varying levels of difficulty depending on your precise network setup."
The Wi-Fi Alliance, an industry group which sets standards for wireless connections, said computer users should not panic.
"There is no evidence that the vulnerability has been exploited maliciously, and Wi-Fi Alliance has taken immediate steps to ensure users can continue to count on Wi-Fi to deliver strong security protections," the group said in a statement.
"Wi-Fi Alliance now requires testing for this vulnerability within our global certification lab network and has provided a vulnerability detection tool for use by any Wi-Fi Alliance member.
You’ve reached your limit of {{free_limit}} free articles this month.
Subscribe now for unlimited access.
Already subscribed? Log in
Subscribe to read the full story →*Subscribe to Business Standard digital and get complimentary access to The New York Times
Smart Quarterly
₹900
3 Months
₹300/Month
SAVE 25%
Smart Essential
₹2,700
1 Year
₹225/Month
SAVE 46%
*Complimentary New York Times access for the 2nd year will be given after 12 months
Super Saver
₹3,900
2 Years
₹162/Month
Subscribe
Renews automatically, cancel anytime
Here’s what’s included in our digital subscription plans
Exclusive premium stories online
Over 30 premium stories daily, handpicked by our editors
Complimentary Access to The New York Times
News, Games, Cooking, Audio, Wirecutter & The Athletic
Business Standard Epaper
Digital replica of our daily newspaper — with options to read, save, and share
Curated Newsletters
Insights on markets, finance, politics, tech, and more delivered to your inbox
Market Analysis & Investment Insights
In-depth market analysis & insights with access to The Smart Investor
Archives
Repository of articles and publications dating back to 1997
Ad-free Reading
Uninterrupted reading experience with no advertisements
Seamless Access Across All Devices
Access Business Standard across devices — mobile, tablet, or PC, via web or app
SAVE 25%