‘Everyone needs to be afraid’: alarm as ‘Krack’ Wi-fi encryption flaw exposes millions to hackers

US government and private security firms sound alert as Wi-fi users risk theft of passwords and credit card data, as well as eavesdropping and hijacking of their devices

Reading Time:3 minutes

Security researchers have discovered a Wi-Fi network vulnerability that could allow attackers to steal sensitive information or inject malicious code while someone is logged into a computer or mobile device. Photo: AP

Published: 12:47pm, 17 Oct 2017Updated: 7:30pm, 17 Oct 2017

A newly discovered flaw in the widely used Wi-fi encryption protocol could leave millions of users vulnerable to attacks, prompting warnings Monday from the US government and security researchers worldwide.

The US government’s Computer Emergency Response Team (CERT) issued a security bulletin saying the flaw can open the door to hackers seeking to eavesdrop on or hijack devices using wireless networks.

“Exploitation of these vulnerabilities could allow an attacker to take control of an affected system,” said CERT, which is part of the US Department of Homeland Security.

The agency’s warning came on the heels of research by computer scientists at the Belgian university KU Leuven, who dubbed the flaw Krack, for Key Reinstallation Attack.

According to the news site Ars Technica, the discovery was a closely guarded secret for weeks to allow Wi-fi systems worldwide to develop security patches.

A Wi-Fi zone on Singapore’s Orchard Road. Photo: AFP

This can be abused to steal … credit card numbers, passwords, chat messages, emails, photos, and so on. The attack works against all modern protected Wi-fi networks

KU Leuven researcher Mathy Vanhoef

Attackers can exploit the flaw in WPA2 – the name for the encryption protocol – “to read information that was previously assumed to be safely encrypted,” said a blog post by KU Leuven researcher Mathy Vanhoef.