*UPDATE* It turns out Linux is especially vulnerable to this vulnerability. this means Android is especially vulnerable. Linux(and by extension Android) can be tricked into using a zero encryption key which means the attacker can easily watch all traffic on that access point. this means most home and SMB routers are:
1. Wide open to this attack.
2. Most of them will never get patched for this.
Let’s make one thing clear. This does not mean WiFi is dead. It means that over the course of the past decade a flaw within the current security model of Wi-Fi security was found. The fix is to update your WiFi equipment. The issue is going to be updating your equipment. Nearly all home and small business routers get updates for maybe a year and that is it. Other gear(like thermostats, and other IOT gear) will NEVER get updated. The encryption of WiFi(known as AES) is NOT broken here…it is the WPA protocol that is the issue. WPA2 is the protocol that modern WiFi uses to establish the communication between your WiFi device and the WiFi access point. The attacker does not break the encryption once it is established…what an attacker can do is basically force a re-connection between the WiFi device and the access point. When this occurs then the attacker can force a known encryption key to be used..then the attacker can see everything. The fix for this? Update your WiFi equipment.
That takes care of the network side, but what about your devices? Google Pixel devices will get updates quickly. Other Android devices you are at the mercy of your device manufacturer and your carrier. Apple devices that are supported will get this update. There are millions of Apple devices still in service that are no longer supported. You will need to replace this gear to not be a security threat to yourself and others. All other Apple devices install the update immediately upon release. For all of the IOT gear out there? Pray your vendor will update it. If they do not..replace it. I will most likely have to replace my thermostat as I am not confident Honeywell will update it. Most other IOT vendors have most likely long forgotten about their devices as well.
This DOES NOT allow the compromise of ssl/tls secured websites and traffic(like VPN) so you are not in danger there. One good thing about encryption everywhere is problems like this do not mean your secured traffic gets compromised.
If you want to know further details about this vulnerability there are several articles on the web available:
ETC Maryland’s continued forward looking philosophy continues to show that smaller companies can have enterprise level security without the enterprise level costs. ETC Maryland has started installing new networking gear as quickly as clients agree. This new brand of networking gear is Ubiquiti. This company has gear that is near Cisco level of capabilities at nearly home level pricing. Ubiquiti does not charge for their control software and updates are free for the life of the product. Case in point, gear they released 5 years ago are still getting free updates. They have gear to cover the home market all the way up to larger corporations. Ubiuiti already has firmware updates in the final testing states for ALL of their products from the earliest gen 1 UAP to their latest AP-SHD access points. All ETC Maryland clients who are having their Uqiquiti networks monitored are going to get this update for no additional cost once it gets released in full.
For a full security evaluation or if you have concerns about your own networking security contact ETC Maryland using the contact form our call me at 301-524-5271.