
A vulnerability in the widely used Wi-Fi protected access 2 (WPA2) protocol lets hackers view unencrypted connections on these networks, even if they don’t know the password. Patches are already rolling out to current routers and client devices, leaving only older, unsupported hardware indefinitely affected.
The vulnerability has been discovered by security research firm ESET that also collaborates with Google to protect the Play Store. It named the flaw Kr00k and describes it as a weakness “that allows unauthorized decryption of some WPA2-encrypted traffic.” Luckily, only the Wi-Fi layer is affected by the problem, so additionally encrypted transmissions via TLS can’t be spoofed. That means your online banking credentials and passwords on websites that connect via HTTPS should be protected.
Amazon Echo 2nd gen
Amazon Kindle 8th gen
Apple iPad mini 2
Apple iPhone 6, 6S, 8, XR
Apple MacBook Air Retina 13-inch 2018
Google Nexus 5
Google Nexus 6
Google Nexus 6P
Raspberry Pi 3
Samsung Galaxy S4 GT-I9505
Samsung Galaxy S8
Xiaomi Redmi 3S
Many routers are also affected by the issue, including the Asus RT-N12, the Huawei B612S-25d, the Huawei EchoLife HG8245H, and the Huawei E5577Cs-321. If you own a vulnerable access point, all traffic on your network can be spoofed regardless of applied fixes on client devices.
Apple has already rolled out patches to its devices, and most current Android phones and routers should also be protected as the chip manufacturers have started providing updates since Q4 2019. Older hardware could be left in the cold, though, especially Android handsets like the Nexus series that isn’t updated anymore. Even custom ROM developers probably won’t be able to patch the vulnerability themselves as they have to rely on binaries from the original manufacturers that would need to contain the fixes. Currently active Nexus handsets will thus probably have to deal with Kr00k indefinitely.