Everybody’s internet is public today. WPA2, the go-to Wi-Fi security option, has been cracked by Belgian researchers. The US Computer Emergency Readiness Team (CERT) has issued a warning in response and is due to release more details about the vulnerability later today. The warning issued is stark, saying that almost all implementations are affected. Now there are calls for a superseding WPA3 standard.
On the researchers' website, the attacking is decribed in the following way:
Concretely, attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted. This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. The attack works against all modern protected Wi-Fi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites.
The researchers tested multiple devices to see whether the vulnerability impacted them. Initial research shows that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, are among those that are affected by some variant of the attack. The researchers urge users to update devices as soon as possible, but in reality, many devices will never see such a patch.
Here's a demonstration of the exploit being used against an affected device:
The statement from US CERT reads:
“The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection and others … most or all correct implementations of the standard will be affected.”
In response to the news, one person proposed two solutions to the problem; the first option is for the Wi-Fi Alliance to be given a list of everything that’s broken in WPA2 and let them fix it, issuing new specs for the standard for software manufacturers to implement. The second option was the creation of an un-official WPA3 without the help of the Wi-Fi Alliance.
The proposal for option two reads:
“Free Software community has a wide range of networking software that enables manipulation of Wi-Fi traffic. While some of it can be used for nefarious purposes, we could as well use it to sketch up a prototype of WPA3 and push for it to get adopted. If you’re interested, I encourage you to contact the discussion boards for projects related to Wi-FI manipulation and see if they’re interested in this. Some of the projects that are related include: ScaPy, WPA supplicant, OpenWRT. There’s definitely more of them so if you know them, let me know!”
Going forward, you will likely only be able to use WPA2 on your home devices for quite a while. In the meantime you can mitigate attacks by connecting to internet resources over secure protocols such as HTTPS and SSL. In order to use SSL for things such as email, ensure that you’re using port 465 with SMTP, as for HTTPS, it’s recommended that you install EFF’s HTTPS Everywhere, this will force many more connections to use HTTPS than your browser normally would and allows you to disable insecure traffic in your browser entirely.