Wi-Fi’s Most Popular Encryption May Have Been Cracked

Wi-Fi’s Most Popular Encryption May Have Been Cracked
Image: iStock

Your home Wi-Fi might not be as secure as you think. WPA2 — the de facto standard for Wi-Fi password security worldwide — may have been compromised, with huge ramifications for almost all of the Wi-Fi networks in our homes and businesses as well as for the networking companies that build them. Details are still sketchy as the story develops, but it’s looking like a new method called KRACK — for Key Reinstallation AttaCK — is responsible.

WPA stands for Wi-Fi Protected Access, but it might not be as protected as we’ve all been assuming. It looks like security researcher Mathy Vanhoef will present the (potentially) revelatory findings at around 10PM AEST Monday — although it’s been worked on for some time; Vanhoef first teased the revelations 49 days ago.

In the source code of a dormant website called Krack Attacks apparently belonging to Vanhoef, a description reads: “This website presents the Key Reinstallation Attack (KRACK). It breaks the WPA2 protocol by forcing nonce reuse in encryption algorithms used by Wi-Fi.” Vanhoef’s website also lists a paper to be released at CCS 2017 detailing the method for key reinstallation attacks, co-authored with security researcher Frank Piessens.

Part of the potential flaw in WPA could be that, the researchers have previously suggested in a 2016 paper, the random number generation used to create ‘group keys’ — the pre-shared encryption key shared on non-enterprise WPA/WPA2 wireless networks — isn’t random enough, and can be predicted.

With that prediction of not-so-random numbers in place, the researchers have demonstrated the ability to flood a network with authentication handshakes and determine a 128-bit WPA2 key through sheer volume of random number collection. Though it’s not yet clear, the re-use of a non-random key could allow an attacker to piggyback their way into a wireless network and then snoop on the data being transmitted within.

However, it may not be the apocalypse that some are suggesting. Given that the publication of this vulnerability has been withheld, a fix may already be in the works — or already completed — from major wireless vendors.

Most home and business wireless routers currently using WPA2 should be relatively easy to upgrade to address the potential security issue, but the millions of Internet of Things wireless devices already in the world will be hardest hit — devices that are un-upgradeable, but will still need to connect to insecure networks or using soon-to-be-deprecated methods. This could get messy.

Back in the day, the original Wired Equivalent Privacy (WEP) encryption standard was cracked to the point of off-the-shelf tools breaking it in as little as a minute.

If you go war-driving today around your city or town, it’s still likely you’ll find wireless networks ‘protected’ by WEP, because end users still don’t know that it’s unsafe. It was superseded by WPA and WPA2 in later years, but we might be on the search for a new Wi-Fi encryption method in the years to come: KRACK may mean that the fundamental privacy we expect of a network protected by WPA2 is no more.

If you’re interested, keep an eye on this website over the next few hours. Either way, find the login details for your Wi-Fi router, because you should probably get ready to update it in the near future.

[Reddit / Krack Attacks]


  • Why wouldn’t IoT devices be upgradeable? This is just a firmware update, all the IoT devices I have supports firmware updates.

    • Assuming your vendors can be bothered to release them. Saw how the KRACK works on Android and I can guarantee that 90% of older Android devices won’t be receiving updates to fix this

      • I read the details of both the 2016 and KRACK vulnerabilities, they both have trivial fixes and older Android versions do continue to receive monthly security updates. Are you suggesting the carriers won’t push out updates on older versions, or that Google won’t bother to issue the patch in the first place?

  • Ah I remember back in the 80’s being really into Cyberpunk and supporting those fearless hackers facing off against the evil megacorps.

    207 rolls around and I’m on the side of the megacorps. HUNT THEM DOWN. They are annoying me

  • I predict that 99% of home AP’s and 70%+ of business AP’s will not have firmware upgraded in the next 10 years to take care of this.

Show more comments

Log in to comment on this story!