Apple and Google promise updates to fix an 'unprecedented' flaw in Wi-fi protection that has left almost ALL home routers at risk of being hacked

  • Experts were able to crack the code used to generate WPA2 encryption keys 
  • Cyber criminals within physical range of a router could exploit the flaw
  • Apple said it was currently testing updates to iOS and MacOS 
  • Microsoft said it had already fixed the problem for users on Windows 7,8 and 10
  • Android users could potentially be waiting months before they are safe
  • BT, Sky and Virgin have not issued guidance on how to update routers 

Google and Apple have promised to update the software that caused severe flaws in Wi-Fi home technology networks, leading to one of the biggest security scares of the year.

Computer security experts were on high alert yesterday after it emerged encryption algorithms designed to protect people's privacy online have been cracked.

The incident, described as 'unprecedented', led technology companies to rapidly issue updates - although it seems many could have known about it for weeks.  

Scroll down for video 

Just last month security experts warned we should be on high alert as our home networks could be vulnerable to attack by hackers from a similar Wi-Fi bug (stock image)

Google and Apple have promised to update the software that caused severe flaws in Wi-Fi home technology networks (stock image)

SOFTWARE UPDATES

The incident led technology companies to rapidly issue updates - although it seems many could have known about it for weeks.

Apple said it was currently testing updates to iOS and MacOS which would be released in a few weeks time.

Microsoft said it had already fixed the problem for users on Windows 7,8 and 10, writes the Telegraph.

Google said it would release a fix on 6 November.

However, Android users could be waiting months before they are safe as manufacturers have to release their own updates.

The updates should limit the security risk but internet users have still been urged to patch their routers.

BT, Sky and Virgin have not issued guidance on how to update routers.

Advertisement

News of the vulnerability, known as Krack, or Key Reinstallation Attacks, emerged after experts from the Katholieke Universiteit (KU) Leuven, Belgium, announced they would be releasing their findings to the public.

They found cyber criminals within physical range of any WPA2 protected wireless router - which includes almost all home users - can spy on your every move online.

It could also provide them easy access to data from smart devices, including baby monitors and internet connected security cameras.

Apple said it was currently testing updates to iOS and MacOS which would be released in a few weeks time.

Microsoft said it had already fixed the problem for users on Windows 7,8 and 10, writes the Telegraph.

Google said it would release a fix on 6 November.

However, Android users could be waiting months before they are safe as manufacturers have to release their own updates.

The updates should limit the security risk but internet users have still been urged to patch their routers.

BT, Sky and Virgin have not issued guidance on how to update routers.

Details of the exploit were published to the researchers' website shortly before this article was published.

Krack uses a flaw in the Wi-fi Protected Access II protocol (WPA2), developed 13 years ago, which renders it useless.

Depending on the network configuration, it is also possible hackers could inject and manipulate data.

Cyber criminals within physical range of any WPA2 protected wireless router can spy on our every move online. It could also provide them easy access to data from our smart devices, including baby monitors and internet connected security cameras (stock image)

Cyber criminals within physical range of any WPA2 protected wireless router can spy on our every move online. It could also provide them easy access to data from our smart devices, including baby monitors and internet connected security cameras (stock image)

WHAT CAN USERS DO?

Until ISPs and router manufacturers issue firmware update, users may continue to be vulnerable to the exploit.

However, there are some ways people can protect their data.

Traffic between HTTPS servers should remain secure, so it is best to check the URL for any page you are going to input sensitive data into. 

Unprotected sites begin with HTTP:// rather than HTTPS://

Anyone with smart devices should visit the manufacturer's website to check for the latest security updates.

Be aware that any data sent in plain text across your home network, for example some email clients use plain text, may be visible.

Advertisement

For example, an attacker might be able to inject ransomware or other malware into websites.

In a written statement, the researchers said: 'We discovered serious weaknesses in WPA2, a protocol that secures all modern protected WiFi networks.

'An attacker within range of a victim can exploit these weaknesses using key reinstallation attacks.

'Attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted.

'This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on.' 

Krack is believed to target a process called a handshake, an automated negotiation that happens between devices on a network.

Handshaking establishes rules for communication between a 'foreign' device and the router, whether that's a printer, server or smartphone.

By agreeing to the rules established during the handshake, the foreign device is then able to establish a connection with the home network.

WPA2 uses a four-way handshake to establish a key for encrypting traffic, to protect it from prying eyes.

During the third stage, researchers discovered the key can be resent multiple times.

Key generation, while seemingly random, is actually governed by a mathematical formula.

Through this third stage, they are believed to have been able to crack the underlying formal used to generate keys through trial and error. 

The full findings of the KU Leuven team will be presented on November 1 at the ACM Conference on Computer and Communications Security in Dallas.

The comments below have not been moderated.

The views expressed in the contents above are those of our users and do not necessarily reflect the views of MailOnline.

We are no longer accepting comments on this article.