WiFi WPA2 security hack explained
In the last 24 hours, the media has broadly covered the WiFi WPA2 security hack. A recently discovered vulnerability could allow attackers to intercept data being transmitted between a WiFi access point and a computer or mobile device, even if that data is encrypted.
Fon CEO Alex Puregger published the following explanation:
“[Yesterday] news broke that the system that protects closed WiFi signals, specifically WPA2, has been hacked. WPA2 is the standard used in most WiFi routers. It’s the encrypted signal most home and office routers use. While reading this, you are most likely connected via WiFi WPA connection.
For upfront explanation, Fon is not directly impacted by this hack as most Fon signals are based on open SSIDs and not WPA2 encryption. Having said that, we, of course, are aware and alert about this. We are also helping our operator partners to address this with their impacted routers.
As background, Mathy Vanhoef from the University of Leuven, identified an issue in the WiFi standard itself and has now alerted the public with a white paper to make sure that the problem gets fixed. He published his research findings here today:
In sum, some of Mathy’s own words:
We discovered serious weaknesses in WPA2, a protocol that secures all modern protected Wi-Fi networks […] Attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted. […]
The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected […] If your device supports Wi-Fi, it is most likely affected. During our initial research, we discovered ourselves that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others, are all affected by some variant of the attacks […]
The bad news is, that the flaw is in the WiFi standard .. so in practice, any router could be hacked and a malicious hacker could eavesdrop on communication via WiFi.
Now, if you are a normal WiFi user and are worried about your security in WiFi, I would recommend for you to relax. The security issue is technically important because it is within the standard itself, but it does not mean that tomorrow there will be a hacker at your door trying to hack your WiFi. Before WPA became the de facto standard, WEP had been the WiFi standard for very long time (and still many routers use WEP encryption). It is known that WEP can be hacked by brute force – to date only very few cases of damage via malicious hacking of WEP are known.
Overall, I actually think that the issue is more important for businesses than for home users.
The good news is, that it can be addressed with a patch and firmware update of the routers and OSs. Since WiFi Alliance, ICASI, and many other institutions and router manufacturers were informed in July about the issue, the first security patches are already available.
Now, there will be some people in the industry who will use this to try to discredit WiFi as an insecure technology. I think that would be totally inappropriate; it’s an unfortunate flaw in a standard, it’s been identified, and will be fixed soon.
I personally think that this will help to further improve WiFi security as it will create more emphasis on the issue.
Security bugs can hardly ever be avoided 100%. We know that from Microsoft, Android, and even iOS … software needs ongoing care to stay secure. The key with security bugs is to be able to react quickly and appropriately.
I think that this issue will make operators and businesses alike more aware that they should have central control over WiFi routers, so they can quickly react to specific security issues via firmware patches. If they have central control over WiFi, they can fix it on behalf of their customers. So, customers who have routers provided by their operators will have this fixed soon.
In the case our Fon partners, for example, ALL the routers that have Fon inside can be upgraded centrally – this has been a Fon requirement since the very first days and it will be greatly appreciated by all our partners in this moment because updating the firmware of routers will be relatively easy.
People, on the other hand, who bought their WiFi routers in a retail shop, will need to handle in most cases the firmware upgrades by themselves, once a new firmware is available. Something that is often not very easy and many customers just won’t do it, making themselves more vulnerable to security issues.
If you are an operator or MSP and need help with this, we are available for you.”