US CERT advisory on WPA2 wireless security flaw, sent to orgns (not public)

I had planned to do some reading up about security vulnerabilities (and any health issues) related to WiFi. Perhaps in 2011 or so I seriously considered whether I should use WiFi on a regular basis. But at that time I read about some innocent people in India whose WiFi connections were used by criminals/terrorists (by hacking into it or perhaps simply using an open WiFi connection), and who (the innocent people) then had to face questioning from the police!  My readings then did not give me a clear picture of WiFi security. As WiFi usage was not critical for me then, I simply decided to avoid using WiFi, switched off (via configuration option) the WiFi facility of the BSNL ADSL modem and router, and relied on Ethernet cable connected Internet via BSNL ADSL modem and router (landline BSNL broadband Internet). I think such landline connections using Ethernet cables are difficult to hack and penetrate. I don’t recall reading any hacking/penetration reports about such BSNL landline Ethernet broadband connections in India.

But now I have become a regular user of WiFi as my regular Internet connection is through the JioFi 4G WiFi router. I use the default WPA-PSK/WPA2-PSK (default setting of WPA-WPA2 Mixed with AES encryption) wireless security provided by JioFi router and have password protected my connection. And I also check on the JioFi web status/admin page: http://jiofi.local.html/ , from time to time, that the number of clients connected to my JioFi router matches the clients I have connected (usually 1 from PC desktop but sometimes additional like Laptop or phone).

I have not yet got around to doing a proper reading up of wireless security today in 2017. Neither have I been able to do a proper reading up of any health issues related to WiFi usage.

But today I came across this article, Severe flaw in WPA2 protocol leaves Wi-Fi traffic open to eavesdropping, https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/, 16th Oct. 2017.

The article quotes a USA Computer Emergency Readiness Team (US-CERT) advisory distributed to 100 organizations as saying, “US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol. The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others. Note that as protocol-level issues, most or all correct implementations of the standard will be affected. The CERT/CC and the reporting researcher KU Leuven, will be publicly disclosing these vulnerabilities on 16 October 2017.”

Ravi: Today is 16th October 2017 and so we may get more details about this vulnerability today (unless they have already done so).

My view, based on this article, is that HTTPS protocol is reasonably safe to use over WiFi Internet even with this WPA2 security vulnerability as HTTPS uses its own (SSL) encryption. The article suggests that WiFi Internet usage should be avoided but I think that’s a rather extreme reaction based on what the article says, for home users like me. But the article continues to say, “When Wi-Fi is the only connection option, people should use HTTPS, STARTTLS, Secure Shell and other reliable protocols to encrypt Web and e-mail traffic as it passes between computers and access points.”

It is HTTP protocol usage over WiFi Internet that could be hacked due to these vulnerabilities, and so it is UNSAFE to use HTTP protocol over WiFi Internet.

gmail, facebook, blogger, wordpress, Internet banking (Indian banks) etc. sites are https sites and so, it seems to me, they may be used safely over WiFi WPA2 security Internet.

Here is an interesting advisory related to WiFi routers from USA Computer Emergency Readiness Team (US-CERT), Security Tip (ST15-002),Securing Your Home Network, https://www.us-cert.gov/ncas/tips/ST15-002, last revised on 16th Dec. 2015.

I followed suggestions given above of disabling WPS (enabled by default in JioFi 3 router). UPnP setting was disabled by default.

===========================================

Readers may want to visit an update to this post here: US-CERT releases public vulnerability note on WPA2 handshake, https://ravisiyer.wordpress.com/2017/10/16/us-cert-releases-public-vulnerability-note-on-wpa2-handshake/, dated 16th Oct. 2017.

This entry was posted in Misc. Bookmark the permalink.