The following is a SECURITY ADVISORY regarding a technology issue which has wide impact.
A major flaw has been found in the technology which powers most of our wireless devices: WiFi.
WiFi is a term which loosely describes a set of protocols which enable wireless networking on computers and laptops; routers and wireless access points; phones and tablets; smart TVs and set-top boxes; gaming consoles; printers; and, thanks to the Internet of Things (IoT), doorbells, speakers, garage door openers, smart switches and outlets, lightbulbs, and even the deadbolt to your front door. Some cars even have WiFi hotspots built-in.
When WiFi first came out, the industry needed a way to secure the data being sent through the air. The solution was called WEP: Wired Equivalent Privacy. The promise of WEP was that all data sent over WiFi was secured by this protocol to the extent that it provided the same level of privacy as a physical wire – in this context: an Ethernet cable.
It wasn’t long after when we learned that WEP wasn’t secure or private at all. New protocols for encrypting and securing communications were developed and implemented – but older equipment which didn’t support the new protocols needed to be replaced.
The new protocols were WPA and WPA2 (with TKIP and AES thrown in).
Researchers at KU Leuven, a university in Belgium, discovered a way to defeat the encryption which WPA2 provides – the result is what many in Security- and I.T.-circles are calling “Black Monday”. The newly discovered vulnerability (two of them, actually), allows attackers to decrypt WPA2 connections and affects absolutely every device that supports WiFi.
The WiFi vulnerability is being called “KRACK”: Key Reinstallation AttaCKs.
Vulnerability 1: KRACK
According to statistics by Wigle.net, the WPA2 protocol secures 60% of the world’s WiFi networks. This particular vulnerability allows an attacker to read information which is sent over a WiFi network using WPA2, meaning attackers can use this to steal sensitive information like credit card numbers, passwords, chat messages, emails, photos, and more. Attackers may also be able to inject malicious information into the WiFi network, including ransomware and malware.
Previous attacks on WiFi protocols exploited weaknesses in a particular implementation (for example, a WiFi chip or product-line built by a particular manufacturer). This vulnerability, however, is in the WiFi standard itself, meaning products which correctly implement the WPA2 standard are affected.
If your device supports WiFi, it is likely affected by this vulnerability.
Products which are known to be affected by this at this time include (but not limited to):
- devices powered by Android,
- Microsoft Windows,
- and more.
What should you do about the WPA2 vulnerability?
Virtually every device you own which uses WiFi is at risk. If you connect to a pseudo-public WiFi access point, you are at higher risk.
The good news is that patching this vulnerability shouldn’t require you to replace any hardware. It will, however, require every WiFi vendor to update their drivers/firmware, and successfully deliver and install those updates to every piece of hardware they’ve ever sold.
Manufacturers are scrambling to patch their products. BleepingComputer has published a running list of vendors and the status of their patches.
Your computers and mobile devices (phones and tablets) should prompt you when an important security update is available. Make sure you do not put off installing those updates. We also recommend that you periodically manually check for updates.
For routers, printers, and other IoT devices, you may have to sign into the device (or its app) and manually update the firmware on the device.
For routers, you may have to log in to its administration panel and manually update the firmware on the device.
We highly recommend running a reputable VPN client on every device that you can. VPNs encrypt traffic prior to entering the WiFi (or wired) network.
Vulnerability 2: “ROCA”
Another vulnerability known as “ROCA” was also announced. This vulnerability involves an attack on public key encryption in an attempt to weaken the way we authenticate software.
Fixing this vulnerability also requires you to update your devices once their vendors have released updates.