Has a New Wi-Fi Hack Been Discovered in the WPA2 Security Protocol?

  • Thread starter Thread starter jtbell
  • Start date Start date
Click For Summary

Discussion Overview

The discussion revolves around a newly discovered vulnerability in the WPA2 security protocol, particularly focusing on its implications for various devices and the effectiveness of existing security measures. Participants explore the potential risks, patching timelines, and the importance of using HTTPS to mitigate threats.

Discussion Character

  • Debate/contested
  • Technical explanation
  • Exploratory

Main Points Raised

  • Some participants express concern that all Wi-Fi networks are vulnerable to hacking due to the WPA2 protocol, highlighting the need for updates to client software.
  • Others note that Android devices may be particularly vulnerable due to slower patching processes compared to iPhones.
  • A participant references a paper detailing the vulnerability, explaining how an attacker can trick a client into reinstalling a known network key, which poses a significant risk for Linux devices.
  • There is a suggestion about the feasibility of hacking WPA2 using Arduino, indicating interest in practical applications of the vulnerability.
  • Some participants argue that relying solely on Wi-Fi security is insufficient, emphasizing the importance of HTTPS for protecting data once it leaves the router.
  • One participant mentions that Windows has already issued a fix for the vulnerability, while others express concern about the speed of patch releases for Android devices.
  • There is a discussion about the limitations of HTTPS, with some questioning its effectiveness depending on the website's security configuration.
  • Participants acknowledge that while the vulnerability is serious, there are measures users can take to mitigate risks, such as using HTTPS and being aware of potential man-in-the-middle attacks.
  • Some express relief at the rapid response from Linux developers in addressing the vulnerability.

Areas of Agreement / Disagreement

Participants do not reach a consensus on the severity of the vulnerability or the effectiveness of various security measures. There are competing views on the reliability of different devices and the adequacy of existing protections.

Contextual Notes

Discussion includes uncertainty regarding the speed of patch deployment across different platforms and the varying levels of security provided by HTTPS. Some participants highlight the need for further clarification on the implications of the vulnerability.

Who May Find This Useful

This discussion may be of interest to individuals concerned about Wi-Fi security, cybersecurity professionals, and users of various operating systems looking to understand the implications of the WPA2 vulnerability.

jtbell
Staff Emeritus
Science Advisor
Homework Helper
2025 Award
Messages
16,031
Reaction score
7,924
  • Like
Likes   Reactions: NFuller, ISamson and QuantumQuest
Computer science news on Phys.org
Makes me wish I was still using an iPhone. I just switched to an Android phone and I hear those take time to get patched due to extra QA hoops. Google -> phone manufacturer -> cell carrier? So it sounds like Android devices will be the most vulnerable.
 
Here's the paper describing the vulnerability in detail https://papers.mathyvanhoef.com/ccs2017.pdf.

It appears that under the WPA2 protocol, the client can be tricked into reinstalling a known network key by an attacker retransmitting the third message of WPA2's 4-way handshake. It is especially bad for linux devices since linux clears the key in ram after it is installed. If the attacker coaxes linux to re-install the key, it will install the cleared memory (which is all zeros) as the new key.
 
Would it be possible to hack it using Arduino? :smile:
 
Use https. If websites don't offer that, bug the owners until they do.

Relying on Wifi security was never a good idea - even if the wireless connection is secure, it still means the owner of the router and every computer transferring the data over the internet can read everything if there is no encryption of the web traffic. Add the various exploits that can make the phone/laptop connect to the wrong router and you shouldn't rely on Wifi security anyway.
 
  • Like
Likes   Reactions: QuantumQuest, Vanadium 50 and ISamson
mfb said:
Use https.

This. Even with the best Wifi security, you have no idea what is listening on your traffic once it leaves the router. Who knows what is hooked up to the network in the back room of the Starbucks? You should behave as if everything on the network is insecure, and that means taking precautions.
 
  • Like
Likes   Reactions: QuantumQuest
mfb said:
Use https. If websites don't offer that, bug the owners until they do.
Depends what you are doing. If you are reading news at WaPo what difference does HTTPS make? Even HTTPS has different security levels. I had to renew PF's certificate weeks after buying it because Google flagged it for using SHA-1 instead of SHA-2.
 
It's not as bad as it sounds. wpa_supplicant on linux was patched on the same day the information was released. On an unpatched system, this attack can be used to capture and view data being sent from the client to the access point.
For example: The attacker can see that your system made a dns request for google.com but it doesn't know what was sent back.

The problem is mobile. I don't know how quickly android vendors will provide patches to fix your phone/tablet.

If you are using websites that have https correctly configured with HSTS and a browser that supports it, then you shouldn't be at risk. The problem is when websites don't, then a MITM attack can take place using a rogue access point and tools like sslstrip. But people won't be able to steal your gmail or facebook login credentials as your browser will warn you that you are using HTTP on a site that should always use HTTPS

It will be obvious. An error that looks like this:
hqdefault.jpg


Yeah it's bad but as an end user, you can still do a lot on your end to mitigate risk and safeguard your information.
 
  • Like
Likes   Reactions: QuantumQuest
  • #10
Greg Bernhardt said:
If you are reading news at WaPo what difference does HTTPS make?
Not much, but then the wifi encryption is not important either.
 
  • #11
Thanks god to the fast updates for Linux users, in the next day, try it
 

Similar threads

IPhone zero-click Wi-Fi exploit: One of the most breathtaking hacks
  • · Replies 3 ·
Replies
3
Views
1K
10-year old security vulnerability in sudo fixed (CVE-2021-3156)
  • · Replies 8 ·
Replies
8
Views
2K
Current and Future AI Threats to Humanity and the Human Response
  • · Replies 10 ·
Replies
10
Views
5K
Research Topic: What would you choose?
  • · Replies 4 ·
Replies
4
Views
3K
Modern Sci-Fi Books and Their Apparent Obsession with Brain Implants
  • · Replies 44 ·
2
Replies
44
Views
13K
Online videos may be conduits for viruses
  • · Replies 1 ·
Replies
1
Views
5K
Anonimity: Time to take the internet back.
  • · Replies 3 ·
Replies
3
Views
4K
Use of AI (ML/DL) in Science
  • · Replies 6 ·
Replies
6
Views
2K
Electrical DIY Project: Wi-fi Screen Sharing (Need help)
  • · Replies 5 ·
Replies
5
Views
7K
Security Software Recommendations for WinXP
  • · Replies 3 ·
Replies
3
Views
2K