SINGAPORE: On Monday, two Belgian researchers publicly disclosed their research highlighting vulnerabilities in WPA2, a security protocol used to protect Wi-Fi networks, and said that "if your device supports Wi-Fi, it is most likely affected".
This is not just another cybersecurity flaw, as the vulnerabilities lie in the Wi-Fi standard itself, and is not due to weaknesses in individual products or implementations, according to one of the researchers Mathy Vanhoef.
"Therefore, any correct implementation of WPA2 is likely affected," he wrote on a dedicated website created to disclose the findings.
He added that during their initial research, they discovered that "Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys and others are all affected by some variant of the attack".
This led to the Singapore Computer Emergency Response Team (SingCERT) to issue an advisory and to urge users to patch their systems.
So why should you care, and what can you do to protect your Wi-Fi networks from being attacked?
Q: Does this vulnerability affect me?
A: If you use any device that supports Wi-Fi, probably yes. "Contact your vendor for more information," advises Mr Vanhoef on his website.
Q: Must I change my Wi-Fi password?
A: No, changing the password of one's Wi-Fi network will not prevent or mitigate an attack. Consumers should, instead, make sure all their devices are updated, and they should also update the firmware of their routers.
"Nevertheless, after updating both your device and router, it's never a bad idea to change the Wi-Fi password," the researcher said.
Q: What if my router has no security updates?
A: The main attack method highlighted is the Key Reinstallation Attack (KRACK), which targets the four-way handshake. The handshake is executed whenever a device wants to join a protected Wi-Fi network and is the means whereby a mobile device, for example, can be authenticated by an access point, usually a router.
Mr Vanhoef said his attack method does not exploit access points but the devices itself, so it might be that your router does not require security updates. He advised people to contact their vendors for more details.
For ordinary home users, the priority should be updating client devices such as laptops and smartphones, he added.
This was reiterated by Singapore telco Singtel, which said in a statement on Thursday (Oct 19) that Singtel broadband subscribers should not seek any software upgrades on their home routers as these are "not known to have been subject to the vulnerability in their current mode of installation".
However, other Wi-Fi-enabled devices may be vulnerable though, and customers should immediately upgrade their firmware or software when patches are made available to guard against potential vulnerabilities, a Singtel spokesman said.
Q: Which vendors are affected?
A: SingCERT said Microsoft has released a security update for supported versions of their products, while the US CERT has published a list of vendors to indicate which have disclosed that they are affected and their statements, if any, on the issue.
Tech news site ZDNet has also compiled a list highlighting companies that are actively addressing this issue. These include Apple, which said fixes for iOS, macOS, watchOS and tvOS are in beta and will be rolled out in a software update in a few weeks. Google said that it is aware of the issue and will be patching any affected devices in the coming weeks.
Q: Are hackers already exploiting these vulnerabilities?
A: Mr Vanhoef said they are not in a position to determine if the vulnerability has been, or is being, actively exploited in the wild (not in research or test environments).
The Wi-Fi Alliance also said on Monday that "there is no evidence that the vulnerability has been exploited maliciously".
Q: What is the Wi-Fi Alliance doing to address these vulnerabilities?
A: The organisation, which certifies that Wi-Fi devices conform to certain standards of interoperability, will be doing the following:
- Require testing for this vulnerability within its global certification lab network
- Provide a detection tool for use by any of its members
- Broadly communicate details of this vulnerability and remedies to device vendors
- Encourage these vendors to work with solution providers to rapidly integrate any necessary patches
Q: How can such vulnerabilities be prevented?
A: "We need more rigorous inspections of protocol implementations," said Mr Vanhoef. "This requires help and additional research from the academic community."
"Together with other researchers, we hope to organise workshops to improve and verify the correctness of security protocol implementations."