Wi-Fi flaw sparks security concerns

Internet security experts and US officials on Monday warned about a newly-discovered Wi-Fi network vulnerability, saying it enables hackers to spread malware and steal sensitive information.

The US government's Computer Emergency Response Team (CERT) issued a statement saying the Wi-Fi security flaw can allow hackers to eavesdrop or hijack electronic devices that are connected to wireless networks.

Read more: EU lawmakers back free Wi-Fi scheme

"Exploitation of these vulnerabilities could allow an attacker to take control of an affected system," said CERT, which is part of the US Department of Homeland Security.

The US warning came after Belgian researchers Mathy Vanhoef and Frank Piessens of Belgian university KU Leuven published their findings on the bug, which they dubbed "KRACK" for Key Reinstallation Attack.

The security flaw affects WPA2, an encryption protocol commonly used to secure Wi-Fi networks. The protocol protects communications between laptops, mobile phones and other devices connected to routers or hot spots.

"This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on," Vanhoef and Piessens wrote on a website set up to provide information on KRACK. In a video, the researchers demonstrate how the flaw can be used to view usernames and passwords for supposedly secure sites.

"The attack works against all modern protected Wi-Fi networks," they added.

Read more: Germany plans to relieve open Wi-Fi network providers from legal costs and passwords

Millions of users affected

Vanhoef and Piessens' report noted that the KRACK attack could only occur if the hacker is within range of the potential victim, but could happen on any Wi-Fi network whether at the office, coffee shop or at home.

The Wi-Fi Alliance, an industry group, said on Monday that there's no evidence yet that the flaw has been exploited maliciously.

Read more: Hacking for the government: Germany opens ZITiS cyber surveillance agency

They also added that the issue "could be resolved through a straightforward software update."

The Belgian researcher's discovery was reportedly kept secret for weeks so that Wi-Fi systems could develop security patches for the flaw, according to news site Ars Technica.

Computer scientists expressed concern over the discovery on Monday, saying that it will be difficult to patch millions of wireless systems.

"The worst part of it is that it's an issue with Wi-Fi protocols, which means it affects practically every single person in the world that uses Wi-Fi networks," researchers at Finland-based security firm F-Secure said in a statement.

Microsoft said it had already released a patch on October 10 to protect Windows users while a spokesman for Google said the company is still working on a patch that is due to come out "in the coming weeks."

rs/rc    (AP, AFP, Reuters)