The nodal agency for responding to computer security incidents in India has rated the vulnerability quotient of public Wi-Fi in the country at ‘high’. “Successful exploitation of these vulnerabilities allows an attacker to obtain sensitive information such as credit card numbers, passwords, chat messages, emails etc,” CERT-in said. The Indian agency has suggested that users avoid public Wi-Fi at all costs and instead use VPN (virtual private network) and wired networks.
The note follows an international research that highlighted the vulnerability in WPA or WPA2 encryption that is most commonly used to connect to wireless networks. Researchers led by Mathy Vanhoef found that devices based on Android, iOS, Linux, macOS and Windows were among those vulnerable. They called this type of attack a key reinstallation attack, or KRACK.
This attack works by abusing design or implementation flaws in the WPA2 protocol of Wi-Fi standard, or what is known as the four-way handshake (network authentication protocol) to reinstall an already-in-use key, which then resets the key and allows the encryption protocol to be attacked, said a note by Kaspersky Labs, a data security firm. Researchers tested this loophole with an attack and wrote about it in a blog on early this week. They found that the attack “works against all modern protected Wi-Fi networks” and “41% of all Android devices”.
“This is very serious. Every Wi-Fi network is at risk,” said Ram Swaroop, founder, CyberSecurityWorks, a Chennai-based security company. “It works when the attacker is within the range of the Wi-Fi device, taking advantage of a flaw in the handshake between the device and the router,” he said.
“Using this vulnerability, a hacker can get unauthorised connection to the wireless network. They can capture every other system on the network and see what they are browsing. They can also disguise themselves as one of the users and take advantage,” said Vinod Senthil, founder, InfySec. Experts said changing the Wi-Fi password will not prevent or mitigate this attack. They suggested using LAN till the vulnerability is addressed.
Swaroop of CybersSecurityWorks cautions against using any free Wi-Fi at airports and hotels. “At home, disable broadcast of your SSID. This way no attacker can see your WiFi device. Only you and your family members know of this and can enter it into your endpoints. Check who your router manufacturer is and check for updates on their website and update your router,” he said.
Technology companies are starting to respond. On Wednesday, Microsoft issued an update that addresses the vulnerability. Others like Google and Apple are expected to issue patches soon.
(This article was originally published in The Times of India)