When setting up a Wi-Fi connection, you should know to set up the “WPA2” box to encrypt traffic and stop any hackers.
However, the box is still vulnerable to cryptographic attacks. According to new research from Mathy Vanhoef; a security researcher at KU Leuven in Belgium, the WPA2 box can actually be exploited to steal and read data that would usually be protected.
Vanheof found that hackers can steal passwords, seize your financial information, or even manipulate commands to arrange for your money to be sent to them. For an attack to take place, the attacker needs to be in close range of the Wi-Fi network to carry it out; which of course is a welcome limitation. However, this is not a huge problem for people who want to carry out this criminal activity because there are millions of Wi-Fi enabled devices across the world.
“Any correct implementation of WPA2 is likely affected. To prevent the attack, users must update affected products as soon as security updates become available,” Vanhoef said. “If your device supports Wi-Fi, it is most likely affected.”
The weakness is WPA2s “Four-way handshake”, this determines whether the attacker has matching credentials, e.g. knows the password to the network. The “Four-way handshake” generates an encryption key, the third step in the process, to protect the user’s session. This new discovery from Vanhoef – which he calls the Key Reinstallation Attack – lets the hacker reinstall a cryptographic key that has already been in use. The reuse resets the counters for how many packets, or data, are sent and received for a certain key. When these are reset, the hacker replays and decrypts the packets.
The good news is that most current iOS and Windows software are not vulnerable to the attack in the majority of cases. They are only vulnerable under niche circumstances because of the way Apple and Microsoft implemented the WPA2 to prevent resends to the third handshake message. However, there are still millions of devices which will be under threat and be hard to fix.
If you were scared to connect to public Wi-Fi before, you certainly won’t be now!