• News
  • Tech

Don't Panic, But Wi-Fi's Main Security Protocol Has Been Broken

Don't Panic, But Wi-Fi's Main Security Protocol Has Been Broken

Vanhoef demonstrates such an attack by completely breaking the encryption on a connection between and Android device and the British website of Match.com, which did not set up HTTPS properly. Vanhoef said that the attack exploits the four-way handshake that is used to establish a key for encrypting traffic. "This handshake is executed when a client wants to join a protected Wi-Fi network, and is used to confirm that both the client and access point possess the correct credentials".

"This certainly highlights the need for additional safety precautions; always where possible, password protect your network resource shares, even if you don't think anyone else would normally access it- after all it's not the ones you know about that are the problem".

The vulnerability is in the WPA2 (wifi protected access 2) protocol which prevents an attacker from seeing all of your data in plain text.

But that assumes each of the four messages in the handshake process is successfully received.

Android 6.0 and later and recent versions of Linux are particularly vulnerable, because the attacker can resend a fake one-time key of all zeroes - in other words, a blank key.

Communication over HTTPS is unaffected by the WPA2 vulnerability and can not be decrypted.

Of note, this attack does not allow attackers to recover the network password.

Speaking at the ACM Conference on Computer and Communications Security in Dallas, Leuven explained that this exploit may allow packet sniffing, connection hijacking, malware injection, and even decryption of the protocol itself.

Vanhoef's paper on this vulnerability, Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 was submitted for review on May 19, 2017. However, you might not be able to do anything about the smart devices that connect via Wi-Fi to your home network. Fixes can be developed for the problem - but in practice, these will take time to roll out, and not all hardware vendors will update their products in a timely fashion. The different CVE's refer to variations of the key reinstallation attack that impact WPA2.

"If that no longer works, it makes the devices on your network a lot more vulnerable - attackers in proximity will now be able to talk to them".

It seems like a coding error is making is so easy for hackers to access an Android device.

This is, security professionals agree, a very serious vulnerability - one that affects devices on a massive scale.

Vanhoef and his colleagues are also working on a tool to detect whether the exploit can be used against specific implementations of the affected encryption protocols, which is close to release, as well as a proof-of-concept that will be released once sufficient time has passed for users to update their devices.

Good news is that it is possible to patch the issue. Generally, an attacker needs to be in the range of the victim's Wi-Fi network, launch a man-in-the-middle attack against a client connected to that network, spoof its MAC address and change the Wi-Fi channel, all of which can be done today but requires a fair degree of technical knowledge. "Here, they may go through the same procedure; too many people never check or implement router updates as it's something often too complicated for the home user to be involved in". Check with your product vendors to see if a patch is available or necessary.

Leave Your Comment

Leave Your Comment


Latest News

  • Facebook Announces $199 Oculus Go Standalone VR Headset

    Oculus Go was announced with simply an image, price point, and vague release window shown behind Zuckerberg's head on the stage. By the end of 2017, Oculus Rift will have a brand new dashboard to help you navigate and customise your VR experience.
    South Florida candidate for Congress slams Boy Scouts plan to admit girls

    South Florida candidate for Congress slams Boy Scouts plan to admit girls

    According to the Boy Scouts Of America, the dens will remain single gender meaning there will be dens for girls and dens for boys. And, around the world, the vast majority of Girl Scouts and Girl Guides are in single-gender organizations.
    Oculus announces standalone virtual reality headset Oculus Go

    Oculus announces standalone virtual reality headset Oculus Go

    Paying $399 for Oculus Rift was nearly nerve-racking for a casual VR user. "One of the most powerful features of VR is empathy". The new standalone device has a self-contained PC so it won't require a beefy desktop or expensive smartphone to tether.
  • Boy Scouts announce plan to admit girls | Your comments

    Boy Scouts announce plan to admit girls | Your comments

    Only girls should be in Girl Scouts . "Strange, I thought that's what the Girl Scouts was for???" he said on Twitter. The introduction of girls still does not mean that Boy Scouts' gatherings will necessarily include both genders .

    Early indications suggest harsh flu season in US

    P.E.I.'s chief health officer is encouraging Islanders to take advantage of free flu shots to combat the nasty seasonal illness. Those who feel sick before that have probably caught a common cold due to fluctuating temperatures.
    Facebook Introduces Another Oculus Virtual Reality Headset

    Facebook Introduces Another Oculus Virtual Reality Headset

    The company promises natural and unrestrained movement while the headset deliver PC-quality VR. Gear VR apps will be compatible with Oculus Go from day one and uses the same controller.
  • Razor is bringing a flagship phone and that's now seen on GFXbench

    Razor is bringing a flagship phone and that's now seen on GFXbench

    There's no word yet on how much the new Razer smartphone will cost and there's even no information yet on its official name. After sharing a tantalizing tease on social media , Razer is set to announce its newest venture this 1 November.
    How will admitting girls to some Boy Scouts programs change both organizations?

    How will admitting girls to some Boy Scouts programs change both organizations?

    The Boy Scouts and the Girl Scouts have been separate entities since both organizations were founded in the early 1900s. Boy Scouts and Girl Scouts share a lot of similar values and activities, yet they differ in some fundamental ways.
    Local scout leaders applaud decision to welcome girls into Boy Scouts

    Local scout leaders applaud decision to welcome girls into Boy Scouts

    It's an historic decision driven by years of requests from families and girls. "I don't know too much about the Boy Scouts ". Girls, if they want to sell cookies and go camping, will soak up messages about empowerment, diversity, and social activism.

Breaking News



Recommended