Microsoft and other tech companies released patches in October 2017 to begin to address the impact of a widespread security vulnerability affecting Wi-Fi encryption, which experts said could put users’ personal information at risk.
The weakness, which was discovered by researcher Mathy Vanhoef, affects Wi-Fi Protected Access 2 (commonly known as “WPA2”), an Internet protocol regularly used to secure Wi-FI networks:
An attacker within range of a victim can exploit these weaknesses using key reinstallation attacks (KRACKs). Concretely, attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted.
This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. The attack works against all modern protected Wi-Fi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites.
No attacks have been reported in connection with the Wi-Fi vulnerability. Vanhoef added that internet users do not have to update their Wi-FI network passwords because doing so would not hold back a prospective attack:
Instead, you should make sure all your devices are updated, and you should also update the firmware [software] of your router. Nevertheless, after updating both your client devices and your router, it’s never a bad idea to change the Wi-Fi password.
The tech giant Microsoft has said that users of several of their operating systems (including Windows 10, Windows 7, Windows 8, and Windows 8.1) would be protected from KRACK attacks by a system update released on 10 October 2017. According to the company, users who apply the update or have had it installed through automatic updates to their devices will be covered.
Meanwhile, Apple said in a statement that “The fix for the KRACK WiFi vulnerability is currently in the betas of iOS, macOS, watchOS and tvOS and will soon be rolled out to customers.”
According to the United States Computer Emergency Readiness Team, several companies, including Cisco, router manufacturer Netgear, Intel, and Blackberry, have released security patches and firmware updates for their respective products.
But newer household devices designed with Wi-Fi capabilities could continue to be at risk of being exploited, experts said, because security patches for them could take longer to be released or be difficult to install. On 1 August 2017, a bipartisan group of lawmakers introduced a bill in the Senate that would apply tighter security measures to these types of devices, which are sometimes referred to as part of the “internet of things.”
Regarding the “KRACK” vulnerability, Sen. Mark Warner (D-Virginia) said:
Vulnerability in WPA2 highlights the impact of vulnerabilities in widely-adopted components and protocols, and illustrates the importance of adopting basic hygiene requirements for the rapidly proliferating Internet of Things.
A Word to Our Loyal Readers
Support Snopes and make a difference for readers everywhere.
- David Mikkelson
- Doreen Marchionni
- David Emery
- Bond Huberman
- Jordan Liles
- Alex Kasprak
- Dan Evon
- Dan MacGuill
- Bethania Palma
- Liz Donaldson
- Vinny Green
- Ryan Miller
- Chris Reilly
- Chad Ort
- Elyssa Young
Most Snopes assignments begin when readers ask us, “Is this true?” Those tips launch our fact-checkers on sprints across a vast range of political, scientific, legal, historical, and visual information. We investigate as thoroughly and quickly as possible and relay what we learn. Then another question arrives, and the race starts again.
We do this work every day at no cost to you, but it is far from free to produce, and we cannot afford to slow down. To ensure Snopes endures — and grows to serve more readers — we need a different kind of tip: We need your financial support.
Support Snopes so we continue to pursue the facts — for you and anyone searching for answers.