If you follow tech focused websites, then, like me, you must have had a bad start of the week.
Yesterday, Mathy Vanhoef a KU Leuven security researcher discovered a security flaw in the wifi encryption protocol WPA2.
Unlike a device-specific security flaws, this vulnerability extends to all devices (mobile, computers, even personal home assistants like the Google Home). The vulnerability, allows hackers to check into one’s network traffic, thus exposing sensitive data like passwords, private conversations and web-activity on any non-HTTPS website.
The attack has been coded KRACK (Key Reinstallation Attacks) whereby a hacker within physical range of a vulnerable device can take advantage of the flaw, decrypting network traffic, hijacking connections and injecting content into the traffic stream.
Scary stuff, but how likely are you to be affected? Vanhoef stated, “All Wi-Fi clients we tested were vulnerable” to an attack. This vulnerability proves quite dangerous as virtually, everyone, everyday, is connected to the Internet via a Wi-Fi connection. While establishing connections within HTTPS website should stir you in the clear (assuming these have been appropriately configured), all other websites who do not follow such protocol are essentially an open book for hackers.
While no security patches have been created at the time of writing (unusual given the severity of the vulnerability) there are some precautions one can take to minimise their digital footprint.
Using a VPN (virtual private network) would encrypt the connection, reducing the likelihood of sensitive data being breached. Chromium-based web browser Opera is a great option as it features a built in VPN (and its free!). HTTPS everywhere, an extension available on most browsers helps too, as it automatically requests the HTTPS protocol where possible (although it is not as effective as a VPN).
Stay (digitally) safe!
References
Ghoshal, A. (2017). All your Wi-Fi are now belong to hackers (probably). [online] The Next Web. Available at: https://thenextweb.com/security/2017/10/16/all-your-wi-fi-are-now-belong-to-hackers-probably/ [Accessed 16 Oct. 2017].
Goodin, D. (2017). Serious flaw in WPA2 protocol lets attackers intercept passwords and much more. [online] Ars Technica. Available at: https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/ [Accessed 16 Oct. 2017].
Lomas, N. (2017). WPA2 shown to be vulnerable to key reinstallation attacks. [online] TechCrunch. Available at: https://techcrunch.com/2017/10/16/wpa2-shown-to-be-vulnerable-to-key-reinstallation-attacks/ [Accessed 16 Oct. 2017].
Time.com. (2017). KRACK Attack: Everything to Know About the Wi-Fi Flaw. [online] Available at: http://time.com/4983720/krack-attack-wpa2-wifi/ [Accessed 16 Oct. 2017].
Thank you for this insightful post.
I did not know about this and I am very happy about you sharing this insight.
One really has to be cautious on the web as most people underestimate the risks involved.
Wifi, however has always been a source of risk as previously the WPS button allowed hackers to easily gain access to the routers (https://www.computerworld.com/article/3171690/network-security/7-wi-fi-vulnerabilities-beyond-weak-passwords.html#tk.drr_mlt).
Analyzing the traffic is not hard anymore as Kali Linux provides several tools such as Wireshark that facilitate network traffic analysis.
Once analyzed the network traffic can reveal many personal data and is a great security risk.
Thank you again for sharing this post!
Great that you tied your topic into the present news. It is kind of scary that this problem can effect many devices. I do have a question for you: Do you think the researchers did a good job by publicizing this security problem to the public, before a patch of this security problem has been developed? e.g. it seems to me that by publicizing it, the chance of exploiting it increases, as the problem has not been solved?
Hi Wan,
first of all, thank you for your comment and interest regarding this topic. Your question has been shared by many throughout the tech community. Let me address your question by providing you with some first-hand, albeit limited, experience I had in the cybersecurity industry. Within the cybersecurity industry, security specialists or so called “hackers” all benefits from discovering, analyzing and finding solutions (providing a patch in industry jargon) to vulnerabilities. In order to do so, security specialists first need to understand the “hack” or vulnerability to be able to move forward with a patch. The researcher’s choice to provide the community with an actual display of the attack is a sensible one for the following reason: it saves hackers a lot of time trying to figure out, how to conduct the attack, what environment they need to create to be able to set up to conduct the attack, and where to conduct the attack. By providing the answer to all of these questions, the researcher essentially has provided all the tools and information necessary for security specialists to recreate the attack and ultimately to find a patch. Given the seriousness of this vulnerability, it made sense for the researcher to publish and provide a live demo of the attack as this would speed up the patching process.
However, you have raised a very valid point. Not all “hackers” are out to do good. By exposing this flaw in security to the world (despite all the right intentions) it has called out and provided malicious hackers a step-by-step guide to exploit such vulnerability.
Fascinating topic. This reminds me of class readings about the level of transparency that is best or most appropriate for a company. It is concerning to read about this breach in security without any word of when a solution to the problem might be found. I also wonder if, learning of the breach, some hackers with ill intent might try to take advantage of this data breach. When is it best to alert people to breaches in their everyday security and safety? Is it better to alert the general population immediately, or after some solution to the problem has been constructed? I truly wonder.