The vulnerability affects any wireless devices including computers, smartphones and the growing array of internet-connected thermostats, televisions, personal assistants and other devices known as the internet of things. | Jeff White/Invision for H&R Block/AP Cyber researchers reveal serious Wi-Fi security flaw

Researchers on Monday disclosed a serious security flaw in the encryption standard that protects tens of millions of consumer, business and government Wi-Fi networks — a hole they said could allow hackers to intercept sensitive traffic, tamper with websites or install malware or ransomware.

The flaw affects a security protocol known as WPA2, one of the most popular ways of securing Wi-Fi networks. The vulnerability affects any wireless device that connects to a network secured with the protocol, according to the research team at KU Leuven in Belgium — a category that includes computers, smartphones and the growing array of internet-connected thermostats, televisions, personal assistants and other devices known as the internet of things.


“In general, any data or information that the victim transmits can be decrypted,” wrote the researchers, who also posted a video in which they used the technique to capture a password entered on Match.com. They added in bold-faced type: "The attack works against all modern protected Wi-Fi networks."

In some circumstances, hackers can also manipulate data transmitted from a router to a client.

Sen. Mark Warner (D-Va.), who is sponsoring a bill that would impose minimum security standards for internet-connected devices that federal agencies purchase, said the latest news "illustrates the importance of adopting basic hygiene requirements for the rapidly proliferating Internet of Things.”.

“In the past year we’ve seen exploitable vulnerabilities reported in a range of widely-used components, with a vulnerability in Bluetooth impacting potentially 8.2 billion devices and a vulnerability in a commonly-used Wi-Fi chipset impacting nearly a billion devices," Warner said in a statement.

Under current law, however, patching the Wi-Fi hole would be at the discretion of individual software and hardware vendors.

Cybersecurity experts said the discovery was significant but not apocalyptic, because the vulnerabilities are fixable and there is no publicly available code to exploit them.

"You would need an incredibly high skill set and to be [physically located] at the [target wireless router] to attack this," security researcher Kevin Beaumont wrote on his blog.

Additionally, Windows and iOS devices — among the most common computers and phones in the world — are not vulnerable to the primary method of attack because of the way they handle wireless transmissions. They are vulnerable to a secondary method, but Beaumont told POLITICO that he didn't see "how that could be exploited for useful traffic."

Websites that encrypt their traffic — marked by "https" in the address bar — are also protected from attempts to use this vulnerability for eavesdropping, Beaumont said via Twitter DM, even if the people browsing them are using unpatched routers.

Still, in the hours after the KU Leuven team revealed the code flaws, device makers scrambled to respond.

The researchers wrote that Android devices, along with other products that run code based on the Linux operating system, are vulnerable to an “exceptionally devastating variant” of the hack.

"We're aware of the issue," a Google spokesman told POLITICO, "and we will be patching any affected devices in the coming weeks." The spokesman said Google has already sent its manufacturer and carrier partners an alert to prepare them for the patches.

But many Android devices may remain unpatched indefinitely, given the large variations in manufacturers' and cellphone carriers' speed in updating their software — a process largely outside Google's control.

TP-Link, a major Chinese manufacturer of computer networking equipment, said Monday that it's investigating the security hole.

Morning Cybersecurity A daily briefing on politics and cybersecurity — weekday mornings, in your inbox. Email Sign Up By signing up you agree to receive email newsletters or alerts from POLITICO. You can unsubscribe at any time. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Cisco said several of its products were affected and promised to release patches for them. A spokeswoman for Belkin, which releases devices under the Belkin, Linksys and Waymo brands, said the company's "security teams are verifying details" of the vulnerability and would post information about how to install any updates that the company releases.

A spokeswoman for TRENDnet said the company is "aware of the issue" and would be "taking measures to ensure that any TRENDnet product that may be affected receives updates to quickly address any security concerns."

Fellow networking device makers Netgear and ASUS did not respond to emails asking if they were preparing patches.

The vulnerability involves so-called key reinstallation attacks, in which hackers trick computers, phones and other devices into trusting a security key that has been compromised.

The KU Leuven researchers said the flaw comprised 10 distinct vulnerabilities in the way Wi-Fi networks transmit encrypted data.

