Serious vulnerability discovered in WiFi (WPA2) security.

Problems/advice relating to your PC/Mac/Phone/Television/ Satellite TV/DVD/Blu ray......

Moderator: Moderators

Post Reply
cjb
Rank 0
Rank 0
Posts: 5
Joined: Mon 27 Jun 2016 19:47

Serious vulnerability discovered in WiFi (WPA2) security.

Post by cjb »

A security researcher has announced discovering a serious weakness in the WPA2 security protocol present in many WiFi routers, access points and other wireless devices, including computers, tablets and phones that connect to a WiFi network.

The exploit also existed in Windows but has been patched by the October 10th monthly updates. See this page for more detail: https://portal.msrc.microsoft.com/en-US ... 2017-13080.

Apple has said that iOS, macOS, etc. will contain a patch in the next routine update of those products. Bear in mind that older iOS devices, that can't upgrade to iOS 10 or 11, might not be patched. This link describes the iOS position: https://www.nextpowerup.com/news/39014/ ... erability/

At present, all Android and Linux devices that connect by WiFi to a network are believed to be at risk.

We are all at risk of this exploit if:
1. A (knowledgeable) hacker can get physically close enough to your WiFi network to be able to connect to it.
2. The wireless routers/computers, etc. that you are using/accessing haven't been patched (or declared safe by their manufacturers or suppliers).

In practice the most likely attack scenario is for those people who use public WiFi access. The advice is to not use public WiFi for anything involving username/password access - banking, email, etc.

In theory, always using sites with HTTPS, or using a tier one VPN, should protect you against having your passwords stolen. However in the case of HTTPS, a complementary exploit can be used to de-crypt all the encrypted data on any HTTPS site that is not set up correctly. Apparently there are many such seemingly secure sites - in the exploit demonstration (see link below), match.com appears to be one such. The only protection in this case is to always ensure the (usually green) padlock icon shows at the beginning of the browser address bar, together with the characters: "HTTPS://". If they don't, don't proceed with the application.

At home, ideally only use Ethernet cable connected devices for sensitive, username/password (e.g. banking) applications, assuming you have cable broadband. Users with 4G broadband may still be vulnerable if the connection device doesn't have any Ethernet sockets.

A good explanation of the exploit is available at Ars Technica, including a link to a video showing the exploit in use: https://arstechnica.com/information-tec ... sdropping/.

UPDATE:
To put this situation in perspective, one is more likely to be at risk using WiFi in places like airports, stations and cafes or restaurants. Unless one lives in a busy town or city, individual householders are likely to be at less risk of becoming victims of this exploit. But it is probably always a good idea to be attentive when accessing sites that store your personal and/or financial details and always check that you can see the padlock icon and the "HTTPS://" characters before logging to the site.
Post Reply