These days, most people connect to the internet via Wi-Fi. We've been taught that on unprotected, open hotspots, you can easily be followed around the web, but generally, we would assume that password-protected networks are relatively safe from outside attacks. As it turns out, a vulnerability in the widely used Wi-Fi protected access 2 (WPA2) protocol lets hackers view unencrypted connections on these networks, even if they don't know the password. Patches are already rolling out to current routers and client devices, leaving only older, unsupported hardware indefinitely affected.
The vulnerability has been discovered by security research firm ESET that also collaborates with Google to protect the Play Store. It named the flaw Kr00k and describes it as a weakness "that allows unauthorized decryption of some WPA2-encrypted traffic." Luckily, only the Wi-Fi layer is affected by the problem, so additionally encrypted transmissions via TLS can't be spoofed. That means your online banking credentials and passwords on websites that connect via HTTPS should be protected.
The company's research has shown that Broadcom and Cypress Wi-Fi chips are affected while those manufactured by Qualcomm, Realtek, Ralink, and MediaTek don't seem to exhibit the same flaw. Other hardware might still be vulnerable to the exploit, though, as ESET couldn't test each and every Wi-Fi chip out there.
ESET provides a non-exhaustive list of affected devices it tested, all of which use the widely popular FullMAC WLAN chips produced by Broadcom and Cypress:
- Amazon Echo 2nd gen
- Amazon Kindle 8th gen
- Apple iPad mini 2
- Apple iPhone 6, 6S, 8, XR
- Apple MacBook Air Retina 13-inch 2018
- Google Nexus 5
- Google Nexus 6
- Google Nexus 6P
- Raspberry Pi 3
- Samsung Galaxy S4 GT-I9505
- Samsung Galaxy S8
- Xiaomi Redmi 3S
Many routers are also affected by the issue, including the Asus RT-N12, the Huawei B612S-25d, the Huawei EchoLife HG8245H, and the Huawei E5577Cs-321. If you own a vulnerable access point, all traffic on your network can be spoofed regardless of applied fixes on client devices.
Apple has already rolled out patches to its devices, and most current Android phones and routers should also be protected as the chip manufacturers have started providing updates since Q4 2019. Older hardware could be left in the cold, though, especially Android handsets like the Nexus series that isn't updated anymore. Even custom ROM developers probably won't be able to patch the vulnerability themselves as they have to rely on binaries from the original manufacturers that would need to contain the fixes. Currently active Nexus handsets will thus probably have to deal with Kr00k indefinitely.
ESET has only focused its tests on the WPA2 protocol. It's unclear whether the issue also affects the succeeding WPA3 standard. In any case, you shouldn't use WPA-TKIP or WEP on your router, as those have been proven to be insecure.