Reverberations of the wifi vulnerability revealed this week could be felt for many years to come, a security researcher has claimed.
Speaking to Wired, HD Moore, a network security researcher at Atredis Partners, said: “We’re probably still going to find vulnerable devices 20 years from now.”
The rapid proliferation of internet-connected devices, the infrequency of software patches, and multiple barriers to getting users to launch updates mean the vulnerability could compromise IoT security for a long time yet.
The vulnerability exposes wireless internet traffic to malicious eavesdroppers and attacks.
Made by Mathy Vanhoef, a security expert at Belgian university KU Leuven, the discovery is not without precedent. However, previous wifi weaknesses were found in wifi protocols that had already been largely superseded by other, more secure protocols.
WPA2, by contrast, comfortably remains the most commonly used wireless security protocol. “The attack works against all modern protected wifi networks,” said Vanhoef in his report. Infrequently if ever updated to guard against vulnerabilities, wireless routers used in the home are seen as problematic.
“Attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted.” Mathy Vanhoef, who discovered the vulnerability
All major operating systems, including Android, Linux, Apple and Windows, are affected. “If your device supports wifi, it is most likely affected,” said Vanhoef, who dubbed the weakness Krack (Key Reinstallation AttaCK).
Attackers who successfully exploit the weakness – and mercifully that is difficult to do, say experts – can cause havoc in a variety of ways.
“Attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted,” said Vanhoef. “This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos and so on.
“Additionally, depending on the device being used and the network setup, it is also possible to decrypt data sent towards the victim (eg the content of a website).
“Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites.”
Developers of IoT devices are limited – mostly to email or notices on community forums – in how they can notify customers and many will only find out via news reports. Some will not find out at all.
Users that do become aware of the problem will have to find the patch download and navigate the sometimes irksome login process of the device’s web-management interface.
“Glimmer of hope”
But Wired says there is “a glimmer of hope” in pioneering new mesh-network routers with less convoluted user interface and an auto-update function. This means fixes can be implemented without input from users themselves.
In a statement the UK’s National Cyber Security Centre, which opened a year ago, sought to reassure the public that using the internet wouldn’t necessarily expose them to risk. “The attacker would have to be physically close to the target and the potential weaknesses would not compromise connections to secure websites, such as banking services or online shopping.”
Connections to secure websites, virtual private networks (VPN) and SSH communications are still safe, because the attack is unlikely to affect the security of information sent over the network that is protected in addition to the standard WPA2 encryption. Websites that don’t display a padlock icon in the address bar, on the other hand, will create an opening for attackers.
The United States Computer Emergency Readiness Team (Cert) issued a warning on Sunday in response to the vulnerability: “The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection and others.”
Android 6.0 (Marshmallow) and Linux are particularly vulnerable because of another bug that results in the encryption key being rewritten as zeros. Not fully implementing the WPA2 protocol iOS and Windows are among the most secure, but no device or software tested has been fully immune to the weakness.
Most tech companies have already had a month and a half to fix the flaw since they were notified of the problem by the international Cert group, based at Carnegie Mellon University, on 28 August.
Responding to a request for comment from The Guardian Google said: “We’re aware of the issue, and we will be patching any affected devices in the coming weeks.” Microsoft said: “We have released a security update to address this issue. Customers who apply the update, or have automatic updates enabled, will be protected.”
Listen to the IFSEC Insider podcast!
Each month, the IFSEC Insider (formerly IFSEC Global) Security in Focus podcast brings you conversations with leading figures in the physical security industry. Covering everything from risk management principles and building a security culture, to the key trends ahead in tech and initiatives on diversity and inclusivity, the podcast keeps security professionals up to date with the latest hot topics in the sector.
Available online, and on Spotify, Apple Podcasts and Google Podcasts, tune in for an easy way to remain up to date on the issues affecting your role.
