All wifi Network’ are helpless against hacking, security master finds
WPA2 protocol used by vast majority of wifi connections has been broken by Belgian researchers, highlighting potential for internet traffic to be exposed
The security convention used to ensure most by far of wireless associations has been broken, possibly uncovering remote web traffic to malignant busybodies and assaults, as indicated by the analyst who found the shortcoming.
Mathy Vanhoef, a security master at Belgian college KU Leuven, found the shortcoming in the remote security convention WPA2, and distributed subtleties of the imperfection on Monday morning.
Vanhoef emphasised that “the attack works against all modern protected wifi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites.”
The vulnerability affects a number of operating systems and devices, the report said, including Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys and others.
“If your device supports wifi, it is most likely affected,” Vanhoef wrote. “In general, any data or information that the victim transmits can be decrypted … Additionally, depending on the device being used and the network setup, it is also possible to decrypt data sent towards the victim (e.g. the content of a website).”
Vanhoef gave the weakness the codename Krack, short for Key Reinstallation AttaCK.
Britain’s National Cyber Security Centre said in a statement it was examining the vulnerability. “Research has been published today into potential global weaknesses to wifi systems. The attacker would have to be physically close to the target and the potential weaknesses would not compromise connections to secure websites, such as banking services or online shopping.
“We are examining the research and will be providing guidance if required. Internet security is a key NCSC priority and we continuously update our advice on issues such as wifi safety, device management and browser security.”
The United States Computer Emergency Readiness Team (Cert) issued a warning on Sunday in response to the vulnerability.
“The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection and others,” the alert says, detailing a number of potential attacks. It adds that, since the vulnerability is in the protocol itself, rather than any specific device or software, “most or all correct implementations of the standard will be affected”.
The development is significant because the compromised security protocol is the most secure in general use to encrypt wifi connections. Older security standards have been broken in the past, but on those occasions a successor was available and in widespread use.
Crucially, the attack is unlikely to affect the security of information sent over the network that is protected in addition to the standard WPA2 encryption. This means connections to secure websites are still safe, as are other encrypted connections such as virtual private networks (VPN) and SSH communications.
However, insecure connections to websites – those which do not display a padlock icon in the address bar, indicating their support for HTTPS – should be considered public, and viewable to any other user on the network, until the vulnerability is fixed.
Equally, home internet connections will remain difficult to fully secure for quite some time. Many wireless routers are infrequently if ever updated, meaning that they will continue to communicate in an insecure manner. However, Vanhoef says, if the fix is installed on a phone or computer, that device will still be able to communicate with an insecure router. That means even users with an unpatched router should still fix as many devices as they can, to ensure security on other networks.
Different devices and operating systems are impacted to differing degrees based on how they implement the WPA2 protocol. Among the worst hit are Android 6.0 (Marshmallow) and Linux, due to a further bug that results in the encryption key being rewritten to all-zeros; iOS and Windows, meanwhile, are among the most secure, since they don’t fully implement the WPA2 protocol. No tested device or piece of software was fully immune to the weakness, however.
The international Cert group, based at Carnegie Mellon University, informed technology companies of the flaw on 28 August, meaning that most have had around a month and a half to implement a fix. The Guardian has asked Apple, Google, Microsoft and Linksys the status of their patches. Google said: “We’re aware of the issue, and we will be patching any affected devices in the coming weeks.” Microsoft said: “We have released a security update to address this issue. Customers who apply the update, or have automatic updates enabled, will be protected.” No other vendor has replied at press time.