When setting up a new Wi-Fi network, you’re probably conditioned by now to check the “WPA2” box. You may not specifically know when or why someone advised you to do this, but it was solid advice. Wi-Fi Protected Access 2 is the current industry standard that encrypts traffic on Wi-Fi networks to thwart eavesdroppers. And since it’s been the secure option since 2004, WPA2 networks are absolutely everywhere. They’re also, it turns out, vulnerable to cryptographic attack.
Researchers have disclosed a serious weakness in the WPA2 protocol that allows attackers within range of vulnerable device or access point to intercept passwords, e-mails, and other data presumed to be encrypted, and in some cases, to inject ransomware or other malicious content into a website a client is visiting.
The flaw in WPA2’s cryptographic protocols could be exploited to read and steal data that would otherwise be protected, according to new research from security researcher Mathy Vanhoef of KU Leuven in Belgium. In some situations, the vulnerability even leaves room for an attacker to manipulate data on a Wi-Fi network, or inject new data in. In practice, that means hackers could steal your passwords, intercept your financial data, or even manipulate commands to, say, send your money to themselves.
The United States Computer Emergency Readiness Team issued the following warning in response to the exploit:
US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol. The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others. Note that as protocol-level issues, most or all correct implementations of the standard will be affected. The CERT/CC and the reporting researcher KU Leuven, will be publicly disclosing these vulnerabilities on 16 October 2017.
If your device supports Wi-Fi, it is likely affected by this vulnerability.
Products that are known to be affected by this at this time include Android, Linux, Apple, Microsoft Windows, Linksys and more. The list of affected vendors is enormous, and vendors including Amazon, Cisco and Netgear are scrambling to release patches to fix this issue.
As of right now there is no fix or patch available for non-Microsoft products. But, here at Magellan Transnational, we will update you as soon as some are made available, by listing them here.
Microsoft has announced a patch: Windows users can find them here.