Belgian university KU security expert Leuven Mathy Vanhoef spotted the discovered the weakness in the wireless security protocol WPA2, and published details of the flaw.
“Attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted. This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos and so on”, he wrote.
Vanhoef said that the attack works against all modern protected wi-fi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites.
The vulnerability affects a number of operating systems and devices, the report said, including Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys and others.
“If your device supports wifi, it is most likely affected”, Vanhoef wrote. “In general, any data or information that the victim transmits can be decrypted … Additionally, depending on the device being used and the network setup, it is also possible to decrypt data sent towards the victim (e.g. the content of a website).”
Vanhoef gave the weakness the codename Krack, short for Key Reinstallation AttaCK.
Britain’s National Cyber Security Centre said in a statement it was examining the vulnerability. “Research has been published today into potential global weaknesses to wifi systems. The attacker would have to be physically close to the target and the potential weaknesses would not compromise connections to secure websites, such as banking services or online shopping.
“We are examining the research and will be providing guidance if required. Internet security is a key NCSC priority and we continuously update our advice on issues such as wifi safety, device management and browser security.”
The United States Computer Emergency Readiness Team (Cert) issued a warning on Sunday in response to the vulnerability.
“The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection and others,” the alert says, detailing a number of potential attacks. It adds that, since the vulnerability is in the protocol itself, rather than any specific device or software, “most or all correct implementations of the standard will be affected”.
Insecure connections to websites should be considered public, and viewable to any other user on the network, until the vulnerability is fixed.