Researchers have discovered a flaw in the security mechanism used to secure just about every Wi-Fi router out there. The vulnerabilities are in the encryption protocols that routers and other wireless devices use: WPA and WPA2. WPA2 is the newer protocol and the security encryption most home and business routers and devices are using. The newly found vulnerability has been dubbed the “Krack Attack.”
So what can a hacker exploiting the found vulnerability in wireless security do? According to the International Consortium for Advancement of Cybersecurity on the Internet (ICASI), hackers could potentially seize control of the affected device, inject malware, and wreak all sorts of havoc on a Wi-Fi network.
Device manufacturers and tech companies are already issuing security patches for their devices and software or have released a statement about the issue:
Microsoft: Windows PCs and devices are considered to be generally safe from the attack, but Microsoft said in a statement to The Verge that it is releasing a fix through its automatic updating feature.
Google: Google says that all Android devices are affected and those running Marshmallow (Android 6.0) have an even greater vulnerability. According to Android Central, Google will release a fix “in the near future.”
Belkin/Linksys: A spokesperson for Belkin emailed the following statement (Belkin manufactures the widely-used Linksys router as well as smart-home Wemo devices):
“Belkin International (Belkin Linksys, and Wemo) is aware of the WPA vulnerability. Our security teams are verifying details and we will advise accordingly. Also know that we are committed to putting the customer first and are planning to post instructions on our security advisory page on what customers can do to update their products, if and when required.”
ZDNet has a list of companies releasing fixes that it is updating regularly. From ZDNet:
Intel: Intel has released a security advisory listing updated Wi-Fi drives and patches for affected chipsets, as well as Intel Active Management Technology, which is used by system manufacturers.
Linux: As noted on Charged, a patch is already available and Debian builds can patch now, while OpenBSD was fixed back in July.
The WiFi Standard: A fix is available for vendors but not directly for end users.
MikroTik: The vendor has already released patches which fix the vulnerabilities.
Google: Google told The Verge that the company is “aware of the issue, and we will be patching any affected devices in the coming weeks.”
AVM: This company may not be taking the issue seriously enough, as due to its “limited attack vector,” despite being aware of the issue, will not be issuing security fixes “unless necessary.”
OpenBSD: Patches are now available.
Microsoft: While Windows machines are generally considered safe, the Redmond giant isn’t taking any chances and has released a security fix available through automatic updates.
Netgear: Netgear has released fixes for some router hardware. The full list can be found here.
Ubiquiti Networks: A new firmware release, version 22.214.171.12437, protects users against the attack.
It’s a good idea to contact your device’s manufacturer including those of your router, smartphones, PCs and laptops, as well as those that make Internet of Things devices such as Alexa, and smart TVs or internet-connected appliances to find out if those devices are vulnerable and when a fix will be available, if they are.