A common theme among Protected Trust’s cyber security experts when asked about why they like their chosen career path is “job security,” and today is just another example of why they feel that way. Two major security vulnerabilities were surfaced today one dealing with Wi-Fi and the other with encryption.
Trouble with Wi-Fi
Wi-Fi routers have become about as nearly ubiquitous as heating and air condition. For me, every structure worth inhabiting has it, unless it’s somewhere really pretty. So news a vulnerability exists in all Wi-Fi enabled devices, is eye-opening to say the least.
Most Wi-Fi users rely on something called Wi-Fi Protected Access 2 or WPA2 to keep their use of the internet private. Fortunately, one of the good guys discovered the bug and wrote a paper on it, cybersecurity researcher Mathy Vanhoef, from Belgian university KU Leuven.
Describing the nightmare in a bottle that he has discovered, Vanhoef says “This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. The attack works against all modern protected Wi-Fi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites.”
If that bit of text makes you sad, take heart in the fact that at least attackers need to be in range of your router and most router manufacturers have either already or will be releasing a patch to fix this. Protected Trust customers, you’re router is fine, we happen disable the specific functionality this affects for exactly this sort of occasion. To say that we’re security conscious around here is an understatement. However, if you have additional wireless access points that we didn’t setup, this could be an issue and you need to update that router immediately.
Worse than KRACK
Complex and hard to fully understand, ROCA is a far more widespread problem. Also unveiled today was a weakness in cryptography used by German chip maker Infineon Technologies AG. Found in wide swath of technology including devices from Google, Fujitsu, Google, HP, Lenovo and Microsoft, this weakness can be exploited remotely, instead requiring physical access to a Wi-Fi network.
In this kind of encryption there are public and private keys. Private keys should be secret, and not derivable from the public key. However, that’s exactly what’s happening here. Those with more sophisticated security, as is often the case, are less susceptible to this issue. Researchers found an attack using Amazon cloud servers would cost just $76 for the 1024-bit key, but about $40,000 for the 2048-bit version.
Most manufacturers have released updates that address these attacks, so the conclusion is the same as with KRACK, keep everything in your home and office updated and configured properly. If you aren’t, you might as well be leaving the door unlocked when you leave.