If you think securing your Wi-Fi network with a strong password is enough to keep hackers away, well, think again you’d be right. A researcher has detailed a new kind of attack, discovered by accident, which would allow hackers to crack your password with ease, no matter how strong the password if it’s a default or weak password.
The security researcher was actually looking at a way to compromise the security of the new WPA3 security standard for Wi-Fi networks, when he discovered means to bypass passwords on WPA and WPA routers.
Jens “Atom” Steube shared the hack earlier this month, ZDNet explains. The new hack doesn’t involve the traditional methods, because those won’t work on the WPA3 security standard that will be found inside most routers going forward. The new standard will improve the security of Wi-Fi networks and hotspots, and it’ll include new protections that would prevent hackers from brute-forcing their way into a Wi-Fi connection.
Hackers can crack Wi-Fi networks right now by waiting for a user to connect to Wi-Fi, wait for the four-way authentication handshake to take place, and capture the resulting information to brute-force the password.
The new attack doesn’t even require waiting for anyone to connect to the network. The information is gathered and translated into regular hex encoded strings, which would let the hacker crack the security relatively easy.
Once a Wi-Fi network has been penetrated in such a manner, the attacker could deploy additional hits, like eavesdropping on communications and perform Man-in-the-Middle attacks.
The research thinks the attack works against “all 802.11i/p/q/r networks with roaming functions enabled,” or most modern routers. The same attack won’t be possible on WPA3 routers in the future.
UPDATE: A previous version of this post said incorrectly that strong passwords would be easily hacked using this attack. That’s not the case. As Digital Trends explains, the cracking duration depends on the complexity of the password, so it’s advisable to replace default ones with longer, unique passwords that contain a mix of characters, including letters (lower- and upper-case), numbers, and symbols.
Additionally, eero, which makes which makes a popular Wi-Fi mesh system, said in a statement that it’s products can’t be compromised by the attack:
This week, another industry-wide vulnerability impacting home routers and networking equipment was discovered. Consumers with traditional WiFi routers using weak WiFi passwords are the most at risk. As soon as the PMKID attack was announced by researchers, eero’s in-house security and connectivity teams launched a technical investigation to ensure our customers remained safe and protected from this issue. eero can confidently reinforce that our customers are safe. Unlike traditional routers, eero software is designed to prevent “master key” information, like your WiFi password, from being shared. The password of any eero system is never included in the data packet a PMKID attacker would try to capture, making eero systems safer and better protecting our customers.
Headline updated for clarity.