- Research came out Monday with an announcement that shook the internet: "All modern protected Wi-Fi networks" were vulnerable to weaknesses in WPA2. Referred to as the KRACK Wi-Fi vulnerability, if an attacker is within Wi-Fi range of a target, they can exploit key reinstallation attacks, potentially stealing credit card numbers, passwords and other sensitive data, according to Matty Vanhoef of imec-DistriNet. A CERT notice listed almost 150 vendors impacted by the vulnerability, detailing whether or not updates were put in place.
- Some variant of the flaw impacts Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys and other devices. With more than 40% of Android devices vulnerable, Google is working on delivering a patch in "coming weeks," The Verge reports. Microsoft said it already released an update to fix the flaw, which will protect customers who apply the update or have automatic updates turned on, the company said in a statement to The Verge. Cisco already has some patches available for its products, and will continue publishing fixes as the software updates become available, the company said in a statement to ZDNet.
- Currently, there is "no evidence" that attackers have "maliciously" exploited the flaw, according to the Wi-Fi Alliance, which now requires testing for the vulnerability in its global certification network. The organization has also provided a vulnerability detection tool for members.
The big question with any disclosed exploit is, what's the impact? For the KRACK vulnerability, researchers simply said, "if your device supports Wi-Fi, it is most likely affected."
That does not necessarily mean attackers have already come within range to target users' data, but if given the opportunity hackers could take advantage of the flaw and launch an attack.
Now that researchers know about the flaw, it all comes down to response. How vendors and clients respond will dictate the impact of the vulnerability, determining whether an internet emergency ensues for an organization or if crisis is averted.
Organizations just have to be diligent about rolling out vendor-provided updates in a timely manner to ensure the lurking flaw does not persist.
As KrebsOnSecurity noted, vendors knew about the flaw weeks before the public disclosure, which is why some vendors already have updates protecting against the flaw in place. And because this is an attack that cannot be executed remotely, companies have a layer of physical location security that can work to protect them.