A weakness in the main security mechanism that protects wireless networks may not be fixed for several weeks, depending on the software a device is running. But its ramifications will be felt for much longer than that.
The WPA2 security protocol has been a mandatory requirement for all devices using the Wi-Fi protocol since 2006, which translates into billions of laptops, mobiles, and routers. The weakness identified by Mathy Vanhoef, a digital security researcher at the Catholic University of Leuven (KUL) in Belgium, lies in the way devices running WPA2 encrypt information.
Each time a device joins a network, it exchanges messages with the router in what is known as a “four-way handshake”. Vanhoef, who will present his findings next month at the Association for Computing Machinery’s Conference on Computer and Communications Security in Dallas, Texas, found it is possible to interfere with this handshake.
That allows a hacker to gain access to any sensitive information sent over a network – credit card numbers, passwords, chat messages, emails, and photos – regardless of passwords or encryption.
“Any device that uses Wi-Fi is likely vulnerable,” says Vanhoef. He alerted technology firms to vulnerability in July.
Fixing the problem is a matter of a straightforward software update, but while Microsoft has already released a patch to fix the problem on devices running its software, Google and Apple have still to release updates that will do the same.
However, among the most vulnerable devices are those running Google’s Android 6.0 or later – Vanhoef estimates that 41 percent of the world’s 2 billion Android devices are susceptible.
That’s because the problem is not in devices – it’s in the Wi-Fi standard itself. That means how vulnerable a device depends entirely on how closely it adheres to the standard. Android adheres strictly. Apple and Microsoft products, on the other hand, don’t do it as much, neither is only prone to unusual variations of the attack.
The good news is that there are some barriers to exploiting this vulnerability. “The attacker’s computer needs to be close to the victim, probably within 100 meters,” says Steven Murdoch at University College London. “Also, the code that implements the attack has not been published, so it is going to take quite a lot of work to re-implement it based on the description in the paper.”
That still means someone sat in a cafe or outside a home, for example, could access information being sent over its Wi-Fi network. Alan Woodward, a computer security expert at the University of Surrey, UK, thinks that with appropriate antennas, the range from which an attack is possible “can be further than you might think”.
After alerting technology companies, in August Vanhoef notified the US Computer Emergency Response Team (CERT). But he agreed not to publicly release the details for several months to allow the firms to fix their software. “Sadly not all vendors have been quite as swift [as Microsoft] at producing the patches,” says Woodward. “There are still many device manufacturers who have yet to say whether they are vulnerable and if they have been patched.”
Apple has patched the issue in beta versions of its current operating systems that will be released in a few weeks. Google says it too expects to release an update soon.
Even after everything has been patched, however, this vulnerability will have a huge impact on other wireless devices connected. internet of things, says Andrew Martin at the University of Oxford. That includes everything from smart light bulbs and thermostats to home assistants. “We can be sure a lot of these devices won’t be patched,” he says. “Whether that matters for this attack or only for some future attack is yet to be seen.”