Big news. Not good big news either. Over the weekend a security a Belgian security researcher submitted his findings that prove there are vulnerabilities in many deployments of 802.11i, specific to its use of WPA protection. His research, while the specifics remain above my head, were translated to lay terms by our resident anonymous tech-aficionado, who wishes to remain nameless for fear of government spooks, Google, and all the other things the paranoid people know that we don’t. Let’s dig in;
Long and short of it is that there are flaws in the 802.11i (WPA) specification and flaws in many client implementations that allow a MITM attack where protected traffic can either be decrypted, forged, or dropped. Turns out some vendors’ implementations are worse than others. In the Windows and iOS versions tested by the researcher (Windows 7, 10, and iOS 10.3.1), they actually deviated from 802.11 spec in such a way that it happens to be more difficult to attack. (Broadcast and multicast keys are vulnerable, but unicast is not.) Some Android and Linux-based wpa_supplicant versions have a bug that make the attack easier and more dangerous.
Good news is that it is software patchable and patching either side, AP or client, mitigates the vulnerability. Also, good news that this vulnerability does not lead to WPA passphrase disclosure. It allows a MITM attack that could decrypt in most circumstances protected traffic, and forge or drop protected traffic if using WPA-TKIP or GCMP encryption (less common). Bad news is that the most vulnerable software (Android and Linux-based router/AP firmwares) are also the types of devices that tend to rarely receive timely updates…or updates at all.
One thing that isn’t news it that wireless security is a moving target. WEP, or wired equivalent privacy for your misnomer of the day, was cracked not long after wireless networks got their start. I began using wireless networks around 2000 and 2001 some of the first research showing its deficiencies as a secure medium began to surface. The Wi-Fi Alliance, the governing body around wireless standards, marched out WPA and the groundwork for the current standard level of security WPA2 in a rapid response to these flaws. This only held up for 13 years before information on an exploit became public. This is just an inevitability when transferring information through the air that almost anyone can grab. Exploits for computer systems are being used all over the world by individuals as low as the friendly Nigerian princess who just need a small deposit to send you that windfall all the way up to Nation/States trying to sabotage uranium enrichment. The overall point is that flaws will be found, new methods will be implemented, but the constant in this equation is the tug of war between encryption and those that want to unencrypt.
The really scary stuff, is that while all of this is going on, the US government is trying to argue that we need purpose built ways to circumvent encryption. They can’t even hold on to their tools they used to sabotage Iran’s nuclear program (if you don’t know just look up Stuxnet). Even when we use our best and brightest minds to build encryption, there are still no shortage of issues with its implementation. This is just yet another example. Luckily this is one example that involves security researchers reporting this to the public, providing proof of concepts, and giving companies and individuals time to patch hardware before releasing these exploits into the wild. Unlike in the movie Zero Days, which you can find on Netflix, that involves four separate zero day exploits that were not found by altruistic security researchers, but were instead used as the first confirmed stand-alone offensive cyber warfare in history.