‘KRACK’ WPA2 security flaw puts nearly every Android device at risk of hijack via Wi-Fi

“A security protocol at the heart of most modern Wi-Fi devices, including computers, phones, and routers, has been broken, putting almost every wireless-enabled device at risk of attack,” Zack Whittaker reports for ZDNET. “The bug, known as ‘KRACK’ for Key Reinstallation Attack, exposes a fundamental flaw in WPA2, a common protocol used in securing most modern wireless networks. Mathy Vanhoef, a computer security academic, who found the flaw, said the weakness lies in the protocol’s four-way handshake, which securely allows new devices with a pre-shared password to join the network.”

“That weakness can, at its worst, allow an attacker to decrypt network traffic from a WPA2-enabled device, hijack connections, and inject content into the traffic stream,” Whittaker reports. “In other words: this flaw, if exploited, gives an attacker a skeleton key to access any WPA2 network without a password. Once they’re in, they can eavesdrop on your network traffic.”

“The bug represents a complete breakdown of the WPA2 protocol, for both personal and enterprise devices — putting every supported device at risk,” Whittaker reports. “But because Vanhoef hasn’t released any proof-of-concept exploit code, there’s little risk of immediate or widespread attacks. News of the vulnerability was later confirmed on Monday by US Homeland Security’s cyber-emergency unit US-CERT, which about two months ago had confidentially warned vendors and experts of the bug, ZDNet has learned… Vanhoef said the security issue is ‘exceptionally devastating’ for Android 6.0 Marshmallow and above.”

Read more in the full article here.

“It is patchable, both client and server (Wi-Fi) side,” Kevin Beaumont explains for Double Pulsar. “Linux patches are available now. Linux distributions should have it very shortly.”

“The attack realistically doesn’t work against Windows or iOS devices,” Beaumont writes. “There is currently no publicly available code out there to attack this in the real world — you would need an incredibly high skill set and to be at the Wi-Fi base station to attack this.”

“Android is the issue, which is why the research paper concentrates on it,” Beaumont writes. “The issue with Android is people largely don’t patch.”

Much more in the full article, which includes Vanhoef’s research paper, here.

MacDailyNews Take: If it’s not an iPhone, you’re awfully bad at buying a smartphone.

How to upgrade from Android to a real Apple iPhone – August 21, 2017
Russian hacker gang robbed Russian banks with over one million hacked Android phones – May 22, 2017
36 widely-used Android devices ship with malware preinstalled – March 14, 2017
The cost of free: More than one million Google Android devices hit by malware – November 30, 2016
Secret backdoor in U.S. Android phones sent location, text, contact data to China – November 15, 2016
Bad news for Fragmandroid: FCC and FTC launch inquiry over mobile security updates – May 10, 2016
Google’s flawed Android is essentially unfixable – May 2, 2016
Apple’s deep commitment to security – April 18, 2016
Apple: We have the ‘most effective security organization in the world’ – April 16, 2016
85% of mobile device failures occur on Android, with Samsung leading the way – February 23, 2016
More than 90% of Android devices are running out-dated, insecure operating system versions – January 27, 2016
Dangerous new zero-day flaw affects more than two-thirds of all Android devices – January 20, 2016
Android malware steals one-time passcodes, a crucial defense for online banking – January 14, 2016
New Android malware is so bad, you’d better off buying a new phone – November 6, 2015
New Android malware strains to top 2 million by end of 2015 – July 1, 2015
Symantec: 1 in 5 Android apps is malware – April 25, 2015
Kaspersky Lab Director: Over 98% of mobile malware targets Android because it’s much, much easier to exploit than iOS – January 15, 2015
Security experts: Malware spreading to millions on Android phones – November 21, 2014
There’s practically no iOS malware, thanks to Apple’s smart control over app distribution – June 13, 2014
F-Secure: Android accounted for 99% of new mobile malware in Q1 2014 – April 30, 2014
Google’s Sundar Pichai: Android not designed to be safe; if I wrote malware, I’d target Android, too – February 27, 2014
Cisco: Android the target of 99 percent of world’s mobile malware – January 17, 2014
U.S. DHS, FBI warn of malware threats to Android mobile devices – August 27, 2013
Poor man’s iPhone: Android on the decline – February 26, 2015
Study: iPhone users are smarter and richer than those who settle for Android phones – January 22, 2015
Why Android users can’t have the nicest things – January 5, 2015
iPhone users earn significantly more than those who settle for Android phones – October 8, 2014
Yet more proof that Android is for poor people – June 27, 2014
More proof that Android is for poor people – May 13, 2014
Android users poorer, shorter, unhealthier, less educated, far less charitable than Apple iPhone users – November 13, 2013
IDC data shows two thirds of Android’s 81% smartphone share are cheap junk phones – November 13, 2013
CIRP: Apple iPhone users are younger, richer, and better educated than those who settle for Samsung knockoff phones – August 19, 2013


    1. The UIAlertController problem is, at the moment, theoretical. As such, it’s only of interest to techies. If the attack goes active in-the-wild, then we should see widespread warnings. For now, this is an issue for Apple to resolve in order for it to no longer be possible.

  1. It’s very difficult to trust any OS, program, protocol, or encryption anymore. One can go along using best practices and then poof! The thing is vulnerable. It’s a cat-and-mouse game and too often is seems we are loosing. When we find out about vulnerabilities (KRACK) or hacks (EQUIFAX) well after their discovery, we learn we really can’t trust our institutions. There could be a serious vulnerability is iOS right now and we won’t know about it for a year.

    1. The problem with vulnerabilites is if one exists but is never exploited nor found till there are so many devices depending on that piece of code it becomes crippling, it’s too late.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.