Microsoft and other tech companies released patches in October 2017 to begin to address the impact of a widespread security vulnerability affecting Wi-Fi encryption, which experts said could put users' personal information at risk.
The weakness, which was discovered by researcher Mathy Vanhoef, affects Wi-Fi Protected Access 2 (commonly known as “WPA2”), an Internet protocol regularly used to secure Wi-FI networks:
An attacker within range of a victim can exploit these weaknesses using key reinstallation attacks (KRACKs). Concretely, attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted.
This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. The attack works against all modern protected Wi-Fi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites.
No attacks have been reported in connection with the Wi-Fi vulnerability. Vanhoef added that internet users do not have to update their Wi-FI network passwords because doing so would not hold back a prospective attack:
Instead, you should make sure all your devices are updated, and you should also update the firmware [software] of your router. Nevertheless, after updating both your client devices and your router, it's never a bad idea to change the Wi-Fi password.
The tech giant Microsoft has said that users of several of their operating systems (including Windows 10, Windows 7, Windows 8, and Windows 8.1) would be protected from KRACK attacks by a system update released on 10 October 2017. According to the company, users who apply the update or have had it installed through automatic updates to their devices will be covered.
Meanwhile, Apple said in a statement that "The fix for the KRACK WiFi vulnerability is currently in the betas of iOS, macOS, watchOS and tvOS and will soon be rolled out to customers."
According to the United States Computer Emergency Readiness Team, several companies, including Cisco, router manufacturer Netgear, Intel, and Blackberry, have released security patches and firmware updates for their respective products.
But newer household devices designed with Wi-Fi capabilities could continue to be at risk of being exploited, experts said, because security patches for them could take longer to be released or be difficult to install. On 1 August 2017, a bipartisan group of lawmakers introduced a bill in the Senate that would apply tighter security measures to these types of devices, which are sometimes referred to as part of the "internet of things."
Regarding the "KRACK" vulnerability, Sen. Mark Warner (D-Virginia) said:
Vulnerability in WPA2 highlights the impact of vulnerabilities in widely-adopted components and protocols, and illustrates the importance of adopting basic hygiene requirements for the rapidly proliferating Internet of Things.