All WiFi Networks Are Vulnerable to Hacking

Uploaded on 2017-11-13 in BUSINESS-Services-IT & Telecoms, FREE TO VIEW, NEWS-Cybersecurity News

The security protocol used to protect the vast majority of WiFi connections has been broken, potentially exposing wireless Internet traffic to malicious eavesdroppers and attacks, according to the researcher who discovered the weakness.

Mathy Vanhoef, a security expert at Belgian university KU Leuven, discovered the weakness in the wireless security protocol WPA2.
 
“Attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted,” Vanhoef’s report said. “This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos and so on.

Vanhoef emphasised that “the attack works against all modern protected WiFi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites.”

The vulnerability affects a number of operating systems and devices, the report said, including Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys and others.

“If your device supports WiFi, it is most likely affected,” Vanhoef wrote. “In general, any data or information that the victim transmits can be decrypted … Additionally, depending on the device being used and the network setup, it is also possible to decrypt data sent towards the victim (e.g. the content of a website).”

Vanhoef gave the weakness the codename Krack, short for Key Reinstallation AttaCK.

Britain’s National Cyber Security Centre said in a statement it was examining the vulnerability. “Research has been published today into potential global weaknesses to WiFi systems. The attacker would have to be physically close to the target and the potential weaknesses would not compromise connections to secure websites, such as banking services or online shopping.

“We are examining the research and will be providing guidance if required. Internet security is a key NCSC priority and we continuously update our advice on issues such as WiFi safety, device management and browser security.”

The United States Computer Emergency Readiness Team (Cert) issued a warning on Sunday in response to the vulnerability.

“The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection and others,” the alert says, detailing a number of potential attacks. It adds that, since the vulnerability is in the protocol itself, rather than any specific device or software, “most or all correct implementations of the standard will be affected”.

The development is significant because the compromised security protocol is the most secure in general use to encrypt WiFi connections. Older security standards have been broken in the past, but on those occasions a successor was available and in widespread use.

Crucially, the attack is unlikely to affect the security of information sent over the network that is protected in addition to the standard WPA2 encryption. This means connections to secure websites are still safe, as are other encrypted connections such as virtual private networks (VPN) and SSH communications.

However, insecure connections to websites, those which do not display a padlock icon in the address bar, indicating their support for HTTPS, should be considered public, and viewable to any other user on the network, until the vulnerability is fixed.

Home Internet connections will remain difficult to fully secure for quite some time. Many wireless routers are infrequently if ever updated, meaning that they will continue to communicate in an insecure manner.

However, Vanhoef says, if the fix is installed on a phone or computer, that device will still be able to communicate with an insecure router. That means even users with an unpatched router should still fix as many devices as they can, to ensure security on other networks.

Alex Hudson, the chief technical officer of subscription service Iron, said that it is important to “keep calm”.

“There is a limited amount of physical security already on offer by WiFi: an attack needs to be in proximity,” Hudson wrote. “So, you’re not suddenly vulnerable to everyone on the internet. It’s very weak protection, but this is important when reviewing your threat level.

“Additionally, it’s likely that you don’t have too many protocols relying on WPA2 security. Every time you access an HTTPS site … your browser is negotiating a separate layer of encryption. Accessing secure websites over WiFi is still totally safe. Hopefully, but there is no guarantee, you don’t have much information going over your network that requires the encryption WPA2 provides.”

There’s likely to be a delay before the vulnerability is used to actually attack networks in the wild, says Symantec researcher Candid Wuest. “It’s quite a complex attack to carry out in practice, but we’ve seen similar before, so we know it’s possible to automate.

“Small businesses and people at home should be concerned, but not too worried,” Wuest added, advising most users to simply apply the updates to their software as and when it becomes available.

The most important lesson from the weakness, he said, was that relying on any one security feature is risky. “You shouldn’t be trusting one single point of failure for all your security. Don’t rely on just your WiFi, use a VPN or secure connection for anything important.”

Different devices and operating systems are impacted to differing degrees based on how they implement the WPA2 protocol. Among the worst hit are Android 6.0 (Marshmallow) and Linux, due to a further bug that results in the encryption key being rewritten for all-zeros; iOS and Windows, meanwhile, are among the most secure, since they don’t fully implement the WPA2 protocol. However, no tested device or piece of software was fully immune to the weakness.

The international Cert group, based at Carnegie Mellon University, informed technology companies of the flaw on 28 August, meaning that most have had around a month and a half to implement a fix.

The Guardian newspaper asked Apple, Google, Microsoft and Linksys the status of their patches. Google said: “We’re aware of the issue, and we will be patching any affected devices in the coming weeks.” Microsoft said: “We have released a security update to address this issue. Customers who apply the update, or have automatic updates enabled, will be protected.” No other vendor has replied at press time.

Guardian:

You Might Also Read: 

Wi-Fi on Planes is Vulnerable to Inflight Hacking:

WiFi can Spy on U:

 

« Artificial Intelligence Needs Regulation
Self-Drive Cars Coming to Manhattan »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

CyberVista

CyberVista

CyberVista is a cybersecurity training education and workforce development company. Our mission is to eliminate the skills gap by creating job ready professionals.

NGS (UK)

NGS (UK)

NGS (UK) Ltd are independent, vendor agnostic, next generation security trusted advisors, providing all-encompassing solutions from the perimeter to the endpoint.

Zerodium

Zerodium

Zerodium is the leading exploit acquisition platform for premium zero-days and advanced cybersecurity research.

Octane OC

Octane OC

OCTANe is building the SoCal of tomorrow. We drive innovation and growth by connecting people, resources and capital. Our Incubator focus is FinTech, Data Analytics and Cybersecurity.

Datacentrix

Datacentrix

Datacentrix provides end-to-end cybersecurity services for the operational technology (OT) and IT environments to monitor, assess and defend our customers' information assets.

Loki Labs

Loki Labs

Loki Labs provides expert cyber security solutions and services, including vulnerability assessments & penetration testing, emergency incident response, and managed security.

Industrial Control System Information Sharing and Analysis Center (ICS-ISAC)

Industrial Control System Information Sharing and Analysis Center (ICS-ISAC)

ICS-ISAC is a non-profit, public/private Knowledge Sharing Center established to help facilities develop situational awareness in support of local, national and international security.

GAVS Technologies

GAVS Technologies

GAVS is a global IT services provider with focus on AI-led Managed Services and Digital Transformation.

Internet Crime Complaint Center (IC3)

Internet Crime Complaint Center (IC3)

The Internet Crime Complaint Center provide the public with a reporting mechanism to submit information to the FBI concerning suspected Internet-facilitated criminal activity.

Communicate Technology

Communicate Technology

Communicate Technology are IT, telecoms and cyber-security specialists, keeping over 500 businesses and 50,000 users connected and secure across the UK.

NARIS

NARIS

NARIS is the leading provider of an integrated Governance, Risk and Compliance platform called NARIS GRC.

InfoSec4TC

InfoSec4TC

InfoSec4tc is an online Information Security Courses, Training, and Consultancy provider.

N2K Networks

N2K Networks

N2K Networks is the world’s first “news to knowledge” network. The news to knowledge network is how you stay at the cutting edge in a rapidly changing world.

Castlepoint Systems

Castlepoint Systems

Castlepoint Systems is a pioneer in information governance, risk and compliance as a service. An all-in-one solution offering powerful risk management, built in compliance, cybersecurity and audit.

Breathe Technology

Breathe Technology

Breathe Technology has been providing Managed IT Support/ Service Desk, Cloud Services, Cyber Security & Communications to businesses and schools since 2003.

CelcomDigi

CelcomDigi

CelcomDigi aspire to be Malaysia’s top Telco-Tech company, transforming beyond core connectivity to lead digitalization and innovation as part of nation-building.