KRACK Wi-Fi weakness may never be fully fixed
SECURITY EXPERTS SAY the KRACK Wi-Fi vulnerability may never be completely resolved due to the sheer breadth and age of the systems affected by the threat.
KRACK, short for Key Reinstallation Attack, exploits a fundamental weakness in the WPA2 protocol that supposedly locks down wireless networks. Mathy Vanhoef of imec-DistriNet, who found the weakness, said “attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted”.
Software vendors moved quickly, with Microsoft and Apple releasing updates and Google promising an Android patch, but any devices that are no longer supported will remain vulnerable. “It’s not a single vulnerability – in some levels this will be resolved pretty quickly from the major OS vendors, and on some levels it will never be resolved,” said Jarno Niemelä, senior security researcher at F-Secure.
“All the devices with vendor support, and some routers, will be updated, but some will be vulnerable until they are replaced and there are many Android devices where the vendors are not going to supply updates and that’s without even mentioning IoT devices.
“This is not going to go away as long as there are devices that don’t get updates and remain in active use.”
Advice to mitigate against the issue included updating software, switching on auto-updates on routers where available and using a VPN for Wi-Fi.