We worked with Professor Vanhoef to identify critical security flaws in two instances of commonly used open source WiFi software that expose users to traffic interception and other attacks.
The first attack is the user connect to Enterprise WiFi network, the second is existing Home network.
Our goal in publishing this research is to help improve the security of wireless networks by identifying critical software vulnerabilities so vendors can patch them and ensure the public is informed. is to improve standards.
We also want to raise public awareness of the risks associated with using shared networks and share advice on how to protect against them.
What devices are affected?
Vulnerabilities that affect wpa_supplicant
v2.10 and earlier (CVE-2023-52160) is of particular concern because it is the default software used by Android devices to handle login requests to wireless networks.
Therefore, 2.3 billion Android users worldwide could be affected by this vulnerability.[1]
of wpa_supplicant
This software is available not only on ChromeOS, the operating system used on Chromebooks, which are very popular in educational settings, but also on nearly all Linux devices.
on the other hand, wpa_supplicant
This vulnerability only affects WiFi clients that are not properly configured to validate the authentication server’s certificate. Recent research has unfortunately shown that this happens frequently, especially on affected devices.[2]
The IWD v2.13 and earlier vulnerability (CVE-2023-52161) is Linux-only WiFi software, so fewer people are affected.However, it affects everyone This vulnerability does not rely on misconfiguration and uses IWD as the access point.
Developed by Intel, IWD is a comprehensive connectivity solution for Linux and is intended to eventually become a Linux replacement. wpa_supplicant
.[3] It is available in the official package managers of all major Linux distributions.
What types of WiFi networks are at risk?
vulnerability of wpa_supplicant
Affects WiFi networks that use WPA2/3 Enterprise mode instead of the less secure Personal mode that is common in home WiFi networks.
Ironically, the security flaws identified in this report are related to the possible exploitation of the mutual authentication process, which exists only in Enterprise Mode, which is generally recommended for use by large enterprises.
Meanwhile, IWD vulnerabilities affect home WiFi networks.
How can these new vulnerabilities be exploited?
of wpa_supplicant
This vulnerability allows a malicious attacker to trick a victim into automatically connecting to a malicious clone of a trusted WiFi network and intercept their traffic.
This attack does not require the victim to do anything, so the victim is likely not aware that he or she has been targeted.
To exploit this vulnerability, an attacker only needs the SSID of an enterprise WPA2/3 network that the victim has previously connected to and is within range of the victim.
One possible scenario is that an attacker roams around a company building and scans the network before targeting employees as they leave the office.
IWD vulnerabilities are different in that they allow attackers full access to existing protected WiFi networks, exposing existing users and devices to attack.
The risk of such attacks is particularly significant for small and medium-sized businesses using this type of WiFi network, and includes:
- Interception of sensitive data
- Malware infection
- ransomware attack
- Business email compromise
- password theft
How to defend against these attacks
Both vulnerabilities were reported to the vendor, patched, and available as part of a public code repository.
IWD releases updates frequently, so the usual advice regarding software and operating system updates still applies.
However, the OS you use determines how easy it is to secure your device. wpa_supplicant
Vulnerability.
ChromeOS At least version 118 and later has been patched so users can easily update to the latest version.
Linux However, users are dependent on distributions providing patched versions. wpa_supplicant
. Typically this is not done by default, so maintainers must ensure that the patch is backported to the environment in which it was provided. wpa_supplicant
version.
android Unfortunately, users will have to wait for new Android security updates that include: wpa_supplicant
patch. Unfortunately, this can take months or even years.
Therefore, in the meantime, it is important for Android users to manually configure stored enterprise network CA certificates to prevent attacks.
University students and employees connected to eduroam can also use CAT tools to securely configure Android. Her latest Android device can also use Trust-on-First-Use (TOFU) to automatically trust his CA certificate when it connects to the network for the first time.
A prudent precaution may be to clean up unused WPA2/3 enterprise networks and turn off automatic reconnection for that type of network that is used regularly.
We recommend regularly using a VPN for public WiFi networks as an additional layer of protection. This encrypts your internet traffic and at least prevents it from being intercepted by an attacker.
Check out our recommendations for the most reliable VPNs for Android and Linux. Android VPN recommendations also apply to ChromeOS users.
Although a VPN protects your Internet traffic from malicious attackers, it cannot protect against all types of attacks resulting from these or future vulnerabilities.
The following sections provide more details about the two vulnerabilities.
For a complete technical analysis and all the relevant background, download the “Bypassing WiFi Authentication in Modern WPA2/3 Networks” report by Mathy Vanhoef and Héloïse Gollier.