Security researchers have revealed that almost every Wi-Fi router is vulnerable to attack, leading to concerns from tech companies and consumers alike.
Named the Krack flaw, which stands for Key Reinstallation Attack, Microsoft has already fixed the flaw for customers running supported versions of its Windows Software. Apple has promised it was testing updates to iOS and MacOS and would be released within weeks.
Google, however, has said it won’t be releasing a patch until November 6. If you have an Android phone that isn’t created by Google then you will have to wait till the manufacturer releases its individual security updates, meaning it could be months before a device is secured.
What is the Krack Wi-Fi flaw and how has it become so serious?
What is the Krack Wi-Fi flaw?
The Krack vulnerability exploits a flaw in the so-called handshake between the device, like a laptop or a smartphone, and the Wi-Fi router. Almost all Wi-Fi routers created in the past 14 years have their traffic encrypted by a protocol known as WPA or WPA-2.
This prevents anyone from accessing the data being transferred from a device through the secure network, which involves a four-way so-called handshake.
However, security researchers at the University of Leuven in Belgium, Mathy Vanhoef and Frank Piessens, found a way to install a new key in a key reinstallation attack (Krack), which could allow a hacker to gain access to the data on the network.
Once access to the network has been granted, hackers could access data regarding passwords, credit card numbers, photos, and messages.
An attacker would need to be in the range of the Wi-Fi network to carry out the attack, which should give some piece of mind to concerned consumers.
Why are Google’s products unsecured?
Google has said it will get its update out in early November however this may be a source of concern for Android users. According to Vanhoef and Piessens’ research, this type of attack is “exceptionally devastating against Android 6.0”.
They believe that around 31.2 percent of Android devices are vulnerable to this attack.
However, attackers won’t be able to access all the data on the network. Websites that begin with https: and feature a little lock in the corner of the browser will remain encrypted, keeping the data stored through these sites safe.
Researchers have advised checking with your router vendor to see if they will be making security updates.
Google has been having issues when it comes to device security
At this year’s Made by Google event, the company unveiled its new devices, including the Google Pixel 2 and a mini version of the smart speaker Google Home.
However, when tech journalist Artem Russakovskii tried out the Google Home Mini for a review, he discovered that his Mini was recording everything that was happening.
“The Mini was behaving very differently from all the other Homes and Echos in my home – it was waking up thousands of times a day, recording, then sending those recordings to Google. All of this was done quietly, with only the four lights on the unit I was looking at flashing on and then off,” Russakovskii reported for AndroidPolice.
Google issued a software patch to fix the issue and said it was only in the pre-release units, not the consumer version of the Home Mini.
“We have learned of an issue impacting a small number of Google Home Minis that could cause the touch mechanism to behave incorrectly. We are rolling out a software update today that should address the issue.”
Most flaws like this happen on a small scale, but it serves to remind consumers to ensure they are secure online.