The vulnerability in WPA2 means hackers can access “credit card numbers, passwords, chat messages, emails, photos” or anything else transmitted over Wi-Fi, according to Dr Mathy Vanhoef.
Dr Vanhoef, a researcher at KU Leuven, published the details of what he branded the KRACK (key reinstallation attack) on Monday.
Experts claim it poses a huge risk to businesses – and warn the issue may never be completely fixed for old phones and routers.
The vulnerability can be patched, and Dr Vanhoef informed affected manufacturers of the issue in August – Apple, Google and Microsoft among them.
But Dr Steven J Murdoch, a security research fellow at UCL, told Sky News: “Many manufacturers do not fix vulnerabilities in their products which they are not actively marketing.
“It is likely that some products, particularly Android smartphones, and Wi-Fi routers, will never be fixed.”
A video showing a technical explanation of the attack on YouTube explains how it is “exceptionally devastating” against Android phones, which can be “tricked” into installing an empty encryption key.
Dr Vanhoef said that 41% of Android devices were vulnerable to this, with the empty encryption key effectively leaving communications unencrypted.
:: Wi-Fi hacking
Back in 2005, a hacker penetrated the Wi-Fi network of US retailer TJX to complete what was then the world’s biggest-known theft of credit card numbers.
The upshot of the vulnerability is that it requires an attacker to be within range of the Wi-Fi network’s radio waves, and only affects the communications between the device and the Wi-Fi access point.
Devices using end-to-end encryption, such as on websites using HTTPS, would still have that encrypted protection – meaning the eavesdropper would not be able to read that information.
However, any web traffic that was not encrypted would be easily visible to the attacker – including traffic within local Wi-Fi networks.
“The vulnerability is serious, but to exploit it the criminal has to be physically near the computer they want to attack,” said Dr Murdoch.
“For this reason the more valuable the network, the more likely it is criminals will make the effort to carry out the attack, so businesses are at a higher risk than average home users.”
A spokesperson for the National Cyber Security Centre said it would be issuing guidance if needed.


