New Zealanders shouldn't use WIFI they don't trust until their equipment is updated, says InternetNZ.

A US cyber security watchdog has issued a warning for users to update their devices to protect against a newly discovered vulnerability that affects nearly every modern, protected WiFi network.

This followed security expert Mathy Vanhoef at the University of Leuven in Belgium publishing findings that showed that a widely used encryption system for wireless networks could give attackers an opening to steal sensitive information such as emails, chat histories and credit card numbers.

The exploit would allow hackers to eavesdrop on Internet traffic between computers and wireless access points.


InternetNZ deputy chief executive Andrew Cushen said that most users were vulnerable until their equipment was "patched" and updated.

"There is vulnerability for most users until their equipment is patched at this point they're equipment isn't patched," Cushen said.

"Until it is patched if you don't trust the WiFi network you're on you shouldn't use it," he said.

"The main thing people should be doing is putting pressure on equipment provider of WiFI they sure to make sure it's patched a quickly as possible."

Cushen said this served as reminder for people to exercise basic internet hygiene.

Spark said it was liaising with makers of modems, phones, tablets and laptops to find out when they will have patches available.

The telco said it was not aware of any Spark customers who have been compromised by the vulnerability.

It is believed that any device that supports WiFi probably leaves itself vulnerable to this attack, called KRACK, for Key Reinstallation Attack.


"The attack works against all modern protected Wi-Fi networks," Mathy Vanhoef said on a website he created to share his research. "Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites."

Vanhoef said any device that supports WiFi probably leaves itself vulnerable to this attack, called KRACK, for Key Reinstallation Attack. "During our initial research, we discovered ourselves that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others, are all affected by some variant of the attacks," he noted on the website.

Cisco, Intel and Samsung were among the companies whose products were affected but have since updated their devices.

In a statement, Microsoft said, "We have released a security update for all supported versions of Windows. Customers who applied the update, or have automatic updates enabled, will already be protected. We continue to encourage customers to turn on automatic updates to help ensure they benefit from the latest protections available."

Apple did not immediately respond to a request for comment, but Vanhoef noted that iOS and Windows devices were not the most vulnerable to the exploit. The attack, however, is "exceptionally devastating" for devices that run Android 6.0, Vanhoef found. Google did not respond to a request for comment.

Vanhoef noted that even when Internet users connect to secure websites that use the HTTPS protocol, they may still be at risk. "Although websites or apps may use HTTPS as an additional layer of protection, we warn that this extra protection can (still) be bypassed in a worrying number of situations," he said.

While he acknowledged that some of the attack scenarios discussed in his research are impractical to pull off, he said the bottom line is that you should still "update all your devices once security updates are available."