A new vulnerability could impact all devices using WPA2 protocols to secure their wi-fi networks, according to a report released Monday.
The "serious weakness" in the WPA2 protocol allows for attackers to not only read and steal information transmitted across wi-fi, but also potentially manipulate the data or insert malware.
The vulnerability was discovered by Mathy Vanhoef and Frank Piessens at KU Leuven and announced by the United States Computer Emergency Readiness Team (US-CERT) on Monday.
The KRACK (key reinstallation attack) vulnerability isn't a problem with the encryption itself, but rather in the "handshake process" and the way the device connects to the access point.
The attack works by leveraging the four-way handshake that is part of the WPA2 protocol process, which allows users to connect to a network and then confirm their credentials for access – a process that is used by all modern wi-fi networks.
The key reinstallation attack leverages this process by forcing the reset of the incremental transmit packet number (nonce) to zero, which allows for the same encryption key to be used with previous nonce values. This allows for attackers to replay, decrypt or forge packets.
The researchers said the vulnerability affects devices running Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others in some variant.
The vulnerability is "especially catastrophic" against version 2.4 and above of the wpa_supplicant, which is common on Linux and Android 6.0 and above.
"If your device supports wi-fi, it is most likely affected," a blog post on the vulnerability said.
US-CERT has published a list of the vendors whose equipment is vulnerable, with many of these manufacturers already releasing patches.
Many vendors have already released patches or statements.
Microsoft provided a statement to Windows Central saying that it had already patched against the vulnerability:
"Microsoft released security updates on October 10th and customers who have Windows Update enabled and applied the security updates, are protected automatically. We updated to protect customers as soon as possible, but as a responsible industry partner, we withheld disclosure until other vendors could develop and release updates."
Google is “aware of the issue, and we will be patching any affected devices in the coming weeks", the company told The Verge.
US-CERT lists some vendors, including Arista and VMware, as "not affected".
The Wi-Fi Alliance, an industry group that represents hundreds of wi-fi technology companies, said the issue "can be resolved through straightforward software updates".
The group said in a statement it had advised members to release patches quickly and recommended that consumers quickly install those security updates.
"There is no evidence that the vulnerability has been exploited maliciously, and Wi-Fi Alliance has taken immediate steps to ensure users can continue to count on wi-fi to deliver strong security protections," read the statement.
The vulnerability can be patched in a backwards-compatible manner, researchers said, and urged all users to update their devices and router firmware as soon as security updates are made available.
Changing a wi-fi password will not prevent an attack, and users should not revert to WEP until devices are patched and should continue to use WPA2 protocols.