The world woke up this morning to a new, very damaging security news that impacts every WiFi network and wireless device. This vulnerability is particularly serious as it impacts every device and network using WPA2 encryption for the WiFi. WPA2 has been out since 2003 and up to now has not been broken. Today that changed.
The attack manipulates the 4-way handshake process that WPA2 uses to trick a device to re-install the encryption an already in use key. This allows for an attacker to slide into the conversation of the network and capture everything that is sent. Android and Linux devices are easier to compromise with this method through their less-than-optimal network connection processes. The video below shows how this is done.
CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088.
How To Protect Yourself
- PATCH IMMEDIATELY – You will need to apply patches on ALL your devices, not just the network routers. All phones, laptops, computers, routers and basically anything that connects wirelessly to a network. Patches will be rolling out soon, Microsoft has already released patches for this, but other devices will have to be checked manually.
- DON’T CONNECT TO ANY WIFI NETWORKS– Until your devices are patched do not connect to ANY wireless networks, including Google hotspots. Use cellular data, hard wire connect or just wait.
- USE HTTPS – When connecting to websites ALWAYS use HTTPS. Make sure the website you are using, regardless, is over HTTPS not HTTP. As the video shows even though a website is HTTPS there are tools that can strip the SSL out and trick your device to use HTTP. That means anything over HTTP is viewable, unencrypted. If it’s HTTPS the attacker cannot see the data.
- You should be using HTTPS for every website you can anyway.
- USE A VPN – With all these types of attacks and vulnerabilities it’s worth the $5/mo. for a personal VPN. Using a VPN on your phones, laptops and computers will keep your data fully encrypted, wrapped in a tunnel hidden from attackers. A VPN will protect you from this attack.
- DO NOT USE FREE VPNs out of an app store. You cannot trust them. A study showed that roughly 40% of the free VPNs were not secure. Spend the money and invest in your security.
One Positive Note On This Attack
This attack requires an attacker to be within range of the network. It’s cannot be conducted remotely. However, airports, hotels, coffee shops, city WiFi networks and any other establishment that offers public WiFi are targets. Don’t assume that your neighbors aren’t threats. One smart curious kid or security researcher can still ruin your day without you knowing.
Another suggestion, be cautious on big vulnerabilities like this and the overreaction from the media and internet. FUD (Fear Uncertainty and Doubt) will spread false messages, get you to buy security products that will do nothing and exploit the naive. Wait for the patches to come out and make sure you apply them. Be aware of the networks you connect to at all times and pay attention to the websites you are using and how you are connecting to them. Never assume.
End of Line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.