WPA2 protocol used by vast majority of Wi-Fi connections has been broken by Belgian researchers.
In an attack, which is threatening to become bigger, researchers found high-severity vulnerabilities in WPA2 (Wi-Fi Protected Access II), a popular security protocol used by nearly every router on the planet. The vulnerabilities could potentially allow anyone near your router to eavesdrop on the Wi-Fi traffic being sent through it. Mathy Vanhoef, a security expert at Belgian university KU Leuven, discovered the weakness in the wireless security protocol. The vulnerability affects a number of operating systems and devices, Vanhoef says, including Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys and others.
“Attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted,” Vanhoef told The Guardian. “This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos and so on.”
Vanhoef emphasised that “the attack works against all modern protected wifi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites”. ALSO READ: Multiple vulnerabilities spotted in Xiaomi’s MIUI system apps: Research
“If your device supports Wi-Fi, it is most likely affected,” Vanhoef writes. “In general, any data or information that the victim transmits can be decrypted … Additionally, depending on the device being used and the network setup, it is also possible to decrypt data sent towards the victim (e.g. the content of a website).”
An advisory distributed by the US CERT (Computer Emergency Readiness Team), and obtained by Ars Technica says, “US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol. The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others. Note that as protocol-level issues, most or all correct implementations of the standard will be affected. The CERT/CC and the reporting researcher KU Leuven, will be publicly disclosing these vulnerabilities on 16 October 2017.”
The development is significant because the compromised security protocol is the most secure, and in general used to encrypt Wi-Fi connections. Older security standards have been broken in the past, but on those occasions a successor was available and in widespread use. ALSO READ: Hacker reveals how a bug in Air India, ClearTrip, SpiceJet apps could have allowed one to roam the world for free
Pacifying the panic that the research has created, Alex Hudson, the chief technical officer of subscription service Iron, told The Guardian that it is important to “keep calm”. “There is a limited amount of physical security already on offer by Wi-Fi: an attack needs to be in proximity,” Hudson writes. “So, you’re not suddenly vulnerable to everyone on the internet. It’s very weak protection, but this is important when reviewing your threat level.
“Additionally, it’s likely that you don’t have too many protocols relying on WPA2 security. Every time you access an https site … your browser is negotiating a separate layer of encryption. Accessing secure websites over Wi-Fi is still totally safe. Hopefully – but there is no guarantee – you don’t have much information going over your network that requires the encryption WPA2 provides.”
Essentially, the attack is unlikely to affect the security of information sent over the network, which is protected in addition to the standard WPA2 encryption. This means that connections to secure websites are still safe, as are other encrypted connections such as virtual private networks (VPN) and SSH communications. However, insecure connections to websites – those which do not display a padlock icon in the address bar, indicating their support for HTTPS – should be considered public, and viewable to any other user on the network, until the vulnerability is fixed. ALSO READ: Bengaluru hacker discovers security flaw that allowed free Uber rides