Home > News > WPA2 Wi-Fi protocol has a built-in vulnerability
WPA2 Wi-Fi protocol has a built-in vulnerability
Release on :2017-10-17
WPA2, the security commonly used on Wi-Fi communication, has a built-in vulnerability, according to researchers from the University of Leuven.
Most Wi-Fi enabled devices – computer, phone, tablet, e-reader and watches are likely to be affected, and they will need manufacturer’s updates to block it. Before this, some safety comes from it being a wireless rather than Internet-based vulnerability, probably, so would-be exploiters have to be physically local.
In a paper ‘Key reinstallation attacks: Forcing nonce reuse in WPA2‘, to be presented as CCS’17 (Dallas, 30oct-03nov), Mathy Vanhoef and Frank Piessens will describe in detail how the attach works – by making use of something compulsory in the Wi-Fi standards.
“The recently-disclosed key re-installation attacks are a series of serious weaknesses in the WPA2 protocol that is used to secure the vast majority of modern Wi-Fi networks,” said Sebastien Jeanquier, consultant at Context Information Security.
“An attacker within range of a Wi-Fi client can trick that client into using a cryptographic key that the attacker is able to calculate, thus allowing the attacker to decrypt and eavesdrop on all of the network traffic between the Wi-Fi client and the Access Point. This could allow the attacker to steal usernames and passwords, as well as personal or financial information. The vulnerabilities are within the Wi-Fi standard itself and not individual products or implementations. As such, all Wi-Fi enabled devices should be considered affected and vulnerable, until a patch is made available by their respective vendors.”
Wi-Fi LogoAccording to Jeanquier, no attack software has been released, “although it is not inconceivable that attackers could create their own tools to perform such an attack.
Before fixes are applied, he suggests using Ethernet or 4G instead of Wi-Fi, and connecting via encryption is Wi-Fi is unavoidable – by virtual private network (VPN), or only communicating with websites whose URL’s start ‘https://’ – with the ‘s’ being the important bit.
According to the Vanhoef/Piessens CCS paper, when a client joins a network, it executes the 4-way handshake to negotiate a fresh session key and then sends a certain message.
Because connections can be dropped, there is a mechanism that re-uses the same key to send the same message – and this is where the trouble starts.
Your Trusted Partner for Distributing Electronic Components Chips!
IC-Chips.com incorporated in 2008. We strive to be a world leading independent distributor specialist offering integrated circuits, active, passive, connector, electromechanical, and discrete components. IC-Chips.com extensive articles line has made the company one of the Top independent distributor of choice for industrial, military, aerospace, and consumer electronics makers worldwide.
Our Mission is to provide the best quality parts with the best affordable price every time.
We have a vast inventory and solid backbone of suppliers of Power Transistors, Microchip, Infineon, Xilinx, Texas Instruments, Altera, Fairchild, NXP, Linear Tech, Vishay, and all others
We at IC-CHIPS.COM are committed to be your trusted consultant, your trust partners, your friend in the industry. We want your business to grow that is why we are here to assist.
Sales Dept .: email@example.com
Purchasing Dept .: firstname.lastname@example.org
Shipping Dept .: Shipping@ic-chips.com
Account Dept .: Account@ic-chips.com