A major vulnerability has been discovered in Wi-Fi encryption that can allow attackers to read Wi-Fi traffic between devices and wireless access points. Attackers can even modify the key to inject malware into websites. Researchers have disclosed that Android and Linux-based devices are the worst affected. Researchers claim the attack works against all modern Wi-Fi networks using WPA or WPA 2 encryption, and that the weakness is in the Wi-Fi standard itself so it affects macOS, Windows, Android, and Linux devices.
The attack requires that a device be in range to a malicious device. By intercepting traffic, attackers can read information that was previously assumed to be safely encrypted, and hackers don’t need to even crack a Wi-Fi password to achieve this.
This hack can be used to steal credit card numbers, passwords, chat messages, photos, emails, and much more.
41 percent of Android devices are vulnerable to this new Wi-Fi attack. Android devices will require security patches to protect against this. Currently, the exploit doesn’t target access points. The attack exploits vulnerabilities in the 4-way handshake of the WPA2 protocol, a security handshake that ensures client and access points have the same password when joining a Wi-Fi network.
As this is a client-based attack, expect to see a number of patches for devices in the coming weeks.
Should I change my Wi-Fi password?
Changing the password of your Wi-Fi network does not prevent (or mitigate) the attack. So you do not have to update the password of your Wi-Fi network. Instead, you should make sure all your devices are updated, and you should also update the firmware of your router. After updating your router, you can optionally change the Wi-Fi password as an extra precaution.
I’m using WPA2 with only AES. That’s also vulnerable?
Yes, that network configuration is also vulnerable. The attack works against both WPA1 and WPA2, against personal and enterprise networks, and against any cipher suite being used (WPA-TKIP, AES-CCMP, and GCMP).
Is my device vulnerable?
Any device that uses Wi-Fi is likely vulnerable. Contact your vendor for more information.