Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Vendors Race to Fight KRACK Wi-Fi Attacks

Technology companies worldwide have released or are working on releasing patches to address the dangerous Wi-Fi vulnerabilities publicly disclosed this week.

Technology companies worldwide have released or are working on releasing patches to address the dangerous Wi-Fi vulnerabilities publicly disclosed this week.

Setting the stage for a new attack method called Key Reinstallation Attack, or KRACK, these vulnerabilities affect the Wi-Fi standard itself and potentially expose all Wi-Fi Protected Access II (WPA2) protocol implementations.

An attacker capable of exploiting the issues could steal sensitive information transmitted over Wi-Fi, including credit card numbers, passwords, chat messages, emails, photos, and more. All major operating systems, including Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others, are affected.

The good news, however, is that the attacker needs to be in within range of an affected wireless access point, and that only data encrypted using the WPA2 protocol is exposed. Data encrypted using other standards, including HTTPS, TLS, and the like, should be safe from this attack.

What’s more, the Wi-Fi Alliance says that there is no evidence that the vulnerabilities have been exploited maliciously and confirmed that a straightforward software update should resolve them. However, the industry organization has already released a vulnerability detection tool for use by any Wi-Fi Alliance member.

As the US-CERT noted in its advisory, the issues affect the Wi-Fi standard itself, meaning that all correct implementations are exposed. Thus, there’s a general consensus of urgency among top vendors to address the bug through software updates, and some of them have already released patches.

Microsoft has already addressed the issue its October 2017 patches and published an advisory on the matter. Apple is reportedly taking steps in this direction by including patches in the latest beta releases of macOS, iOS, tvOS, and watchOS.

Android 6.0 and above and Linux were said to be affected the most, with the attack being “exceptionally devastating” against them. While security updates have been released for Linux, Google seems determined to address the issue in the coming weeks, most likely with the November 2017 monthly Android patches.

The issue is being addressed in Debian, Fedora, Red Hat, and Ubuntu. Patches are available for OpenBSD as well, and are being prepared for the FreeBSD Project.

Intel has released an advisory listing all affected products, while Netgear has released fixes for some products and is working on updates for others. Cisco too has released patches for affected products, the same as Fortinet, MikroTik, Ubiquiti Networks, WatchGuard, and Aruba. Zyxel also confirmed that some of its products are affected.

The list of affected and potentially affected vendors is much more extensive than that, as US-CERT has revealed. Most of the vendors were notified on the vulnerabilities in late August, but it’s yet unclear how many of them are affected.

Related: Security Flaw Prompts Fears on Wi-Fi Connections

RelatedDangerous WPA2 Flaw Exposes Wi-Fi Traffic to Snooping

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.