Two European researchers have made an alarming discovery about the technology underpinning the security of Wi-Fi networks that they say renders every major operating system vulnerable to eavesdropping. 

Mathy Vanhoef and Frank Piessens of Belgian university KU Leuven revealed an exploit Monday that enables hackers to compromise connections secured with the Wi-Fi Protected Access II protocol, or WPA2. Implementations of the technology can found in the overwhelming majority of modern wireless networks. And as if that wasn’t enough, legacy devices that still use the previous-generation WPA1 standard are affected as well.

The exploit takes advantage of a flaw in the way Wi-Fi connections are established. When a device links up to a wireless router, a cryptographic key is generated to encrypt traffic in a process known as a handshake. Vanhoef and Piessens discovered that hackers can duplicate the cipher to unscramble the data traveling across the network.

The researchers have named the exploit KRACK, which is short for key reinstallation attack. They warned in a web page detailing the vulnerability that “this can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos and so on.”

Worse, some network configurations may even enable hackers to modify the intercepted data. A determined attacker could potentially corrupt web content accessed by a user with malicious code.

KRACK affects devices running Windows, macOS, iOS, Android and Linux along with several other platforms. The fact that the exploit is rooted in a software problem means users can’t solve it by doing something like changing their Wi-Fi password. The only solution is patching, but full fixes are not yet widely available.

Microsoft Corp. said in a statement to The Verge that it has released an update to protect Windows installations from the exploit, but the researchers nonetheless argued that the operating system is vulnerable to certain variations of the attack. They wrote that the same is true for Apple Inc.’s iOS, though Apple said it has patched the exploits in iOS, tvOS, watchOS and macOS beta versions for developers and would roll them out to consumers soon. Versions 6.0 and above of Android, meanwhile, are susceptible to an “exceptionally devastating” flavor of KRACK that currently remains unfixed as well.

The silver lining is that a malicious party must be physically in range of a Wi-Fi network to use the exploit. That means hackers should have a hard time carrying out attacks en masse, which is good news for consumers. But the risk is still severe in locations such as offices, where upwards of hundreds of users can carry wireless devices.

Image: Pixabay