November 3, 2017 • 6 mins
Researchers published a paper detailing a critical vulnerability in the WPA2 security protocol for WiFi networks. What does that mean for you?
Learn more about your ad-choices at https://www.iheartpodcastnetwork.com
See omnystudio.com/listener for privacy information.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:03):
When you set up a Wi Fi network, you should
always create a unique admin and password to protect it,
and you should also know that that doesn't really matter
anymore for now. I'm Jonathan Strickland, and this is tech
Stuff Daily. If you've ever used a Wi Fi network
(00:24):
with security settings, you're likely relying upon a protocol called
w p A two. It stands for WiFi Protected Access
and it's a security certification program that's supposed to allow
for secure communication between devices and the Internet. Only now,
there's a workaround that makes w p A two about
as safe as a vault door made of tissue paper.
(00:47):
Some researchers uncovered the security flaw and wrote a paper
about it, publishing that paper in October. The flaw means
that devices running on Android, Lennox, Open BSD, and a
few other operating systems may send information to something that
appears to be a specific WiFi access point, but in
fact is a malicious clone. Some operating systems, like iOS
(01:10):
and Windows are immune against certain implementations, but are still
vulnerable to others. Here's what's going on. The attacker runs
special software called key reinstallation attacks or cracks k R
A c k S. The crack will allow the attacker
to clone the network, fooling certain electronics into connecting with
(01:31):
the malicious clone rather than the legitimate network. It does
this by interrupting a process called the four way handshake.
This is a process through which a device and a
network verify that they are having legitimate communication with each other.
The crack technique manipulates and then replays this cryptographic handshake message,
resetting the devices encryption process and intercepting all communication between
(01:55):
that device and the network. This is a type of
attack known as a man in the middle attack. Worse
than that, the clone network will be able to decrypt
communications sent through it. Pairing this with some other well
known hacker software, such as s s L strip allows
the cloned network to downgrade traffic to the HTTP protocol
(02:16):
instead of h T t P S. You may have
been told to keep an eye on the address bar
of your browser to verify the presence of that little
lock symbol next to the HTTPS. This tells you that
you've got a secure connection to that particular web page.
S s L strip pushes traffic to an HTTP protocol,
removing that extra level of security. However, this is reflected
(02:40):
in the address bar, so if you're paying attention, you
may notice the problem right away. The solution to this
problem involves updating devices with security patches that remove the vulnerability.
Changing your networks log in and password information doesn't help
all by itself, as this attack sidesteps those measures in
the first place. You have to doll updates to your
(03:01):
various devices. Those updates take time to develop and roll out,
and by the time you hear this, there may still
be some devices you own that lack of patch. It's
a good idea to be careful about using Wi Fi
networks in the meantime, particularly in public spaces. Though this
attack can turn any Wi Fi network into a vulnerability,
even in your home network. Switching to wired connections would
(03:23):
also prevent any unintended communication with malicious networks. The flaw
illustrates how difficult network security can be. First, you need
a reliable system that isn't easily breached or manipulated, and
until recently, w p A two seemed to put the bill. Now,
it's clear that the system had some major flaws, but
let's assume that the security protocol is top notch and
(03:47):
has no other known vulnerabilities. There are still plenty of
opportunities for malicious hackers to get unauthorized access to a system.
Legitimate users who choose weak login and passwords are a liability.
Humans are pretty bad remembering complicated passwords, and so it's
natural for us to get a little lazy and come
up with passwords that aren't very tricky at all. The
(04:08):
truly foolish never bothered to change their access points passwords
from the default, which means an attacker with knowledge of
the default passwords can get easy access to that network.
Others will take a minor step forward and use a
new password but rely on actual simple words. Hacker using
a brute force attack in which a machine puts forward
various words at high speeds and an attempt to find
(04:30):
the password, could gain access to such an account. Strong
complex passwords are more reliable, particularly if they are longer
than eight characters, but these are much more difficult to remember,
particularly if you're practicing good security etiquette and you've created
a new password for every site or service. You can
build complex passwords out of collection of common words, and
(04:52):
that helps, but you still need to remember what those
passwords are and not rely on the same one for
two or three for all of your law and information,
and keep in mind that the weakest point in any
security system tends to be people. There have been plenty
of systems that were breached, not through some hacker running
a slide piece of code to probe for passwords, but
(05:13):
rather a person just chatting with a company's employee and
an effort to get more information. The worst thing about
the w P A two flaws that you could be
practicing extremely healthy security habits and it doesn't even matter
because the vulnerability exists in the protocol itself. It just
doesn't seem fair. Fortunately, with some software updates, companies can
remove this possibility and you can rest easy. Just another
(05:35):
reason why it's always important to install those updates. That's
all for today. To learn more about hacking, security and malware,
check out tech Stuff. It's my long form podcast that
publishes on Wednesdays and Fridays and explores all topics in
the world of technology. I'll see you again soon. Eight
When you set up a Wi Fi network, you should
always create a unique admin and password to protect it,
and you should also know that that doesn't really matter
anymore for now. I'm Jonathan Strickland, and this is tech
Stuff Daily. If you've ever used a Wi Fi network
(00:24):
with security settings, you're likely relying upon a protocol called
w p A two. It stands for WiFi Protected Access
and it's a security certification program that's supposed to allow
for secure communication between devices and the Internet. Only now,
there's a workaround that makes w p A two about
as safe as a vault door made of tissue paper.
(00:47):
Some researchers uncovered the security flaw and wrote a paper
about it, publishing that paper in October. The flaw means
that devices running on Android, Lennox, Open BSD, and a
few other operating systems may send information to something that
appears to be a specific WiFi access point, but in
fact is a malicious clone. Some operating systems, like iOS
(01:10):
and Windows are immune against certain implementations, but are still
vulnerable to others. Here's what's going on. The attacker runs
special software called key reinstallation attacks or cracks k R
A c k S. The crack will allow the attacker
to clone the network, fooling certain electronics into connecting with
(01:31):
the malicious clone rather than the legitimate network. It does
this by interrupting a process called the four way handshake.
This is a process through which a device and a
network verify that they are having legitimate communication with each other.
The crack technique manipulates and then replays this cryptographic handshake message,
resetting the devices encryption process and intercepting all communication between
(01:55):
that device and the network. This is a type of
attack known as a man in the middle attack. Worse
than that, the clone network will be able to decrypt
communications sent through it. Pairing this with some other well
known hacker software, such as s s L strip allows
the cloned network to downgrade traffic to the HTTP protocol
(02:16):
instead of h T t P S. You may have
been told to keep an eye on the address bar
of your browser to verify the presence of that little
lock symbol next to the HTTPS. This tells you that
you've got a secure connection to that particular web page.
S s L strip pushes traffic to an HTTP protocol,
removing that extra level of security. However, this is reflected
(02:40):
in the address bar, so if you're paying attention, you
may notice the problem right away. The solution to this
problem involves updating devices with security patches that remove the vulnerability.
Changing your networks log in and password information doesn't help
all by itself, as this attack sidesteps those measures in
the first place. You have to doll updates to your
(03:01):
various devices. Those updates take time to develop and roll out,
and by the time you hear this, there may still
be some devices you own that lack of patch. It's
a good idea to be careful about using Wi Fi
networks in the meantime, particularly in public spaces. Though this
attack can turn any Wi Fi network into a vulnerability,
even in your home network. Switching to wired connections would
(03:23):
also prevent any unintended communication with malicious networks. The flaw
illustrates how difficult network security can be. First, you need
a reliable system that isn't easily breached or manipulated, and
until recently, w p A two seemed to put the bill. Now,
it's clear that the system had some major flaws, but
let's assume that the security protocol is top notch and
(03:47):
has no other known vulnerabilities. There are still plenty of
opportunities for malicious hackers to get unauthorized access to a system.
Legitimate users who choose weak login and passwords are a liability.
Humans are pretty bad remembering complicated passwords, and so it's
natural for us to get a little lazy and come
up with passwords that aren't very tricky at all. The
(04:08):
truly foolish never bothered to change their access points passwords
from the default, which means an attacker with knowledge of
the default passwords can get easy access to that network.
Others will take a minor step forward and use a
new password but rely on actual simple words. Hacker using
a brute force attack in which a machine puts forward
various words at high speeds and an attempt to find
(04:30):
the password, could gain access to such an account. Strong
complex passwords are more reliable, particularly if they are longer
than eight characters, but these are much more difficult to remember,
particularly if you're practicing good security etiquette and you've created
a new password for every site or service. You can
build complex passwords out of collection of common words, and
(04:52):
that helps, but you still need to remember what those
passwords are and not rely on the same one for
two or three for all of your law and information,
and keep in mind that the weakest point in any
security system tends to be people. There have been plenty
of systems that were breached, not through some hacker running
a slide piece of code to probe for passwords, but
(05:13):
rather a person just chatting with a company's employee and
an effort to get more information. The worst thing about
the w P A two flaws that you could be
practicing extremely healthy security habits and it doesn't even matter
because the vulnerability exists in the protocol itself. It just
doesn't seem fair. Fortunately, with some software updates, companies can
remove this possibility and you can rest easy. Just another
(05:35):
reason why it's always important to install those updates. That's
all for today. To learn more about hacking, security and malware,
check out tech Stuff. It's my long form podcast that
publishes on Wednesdays and Fridays and explores all topics in
the world of technology. I'll see you again soon. Eight
TechStuff Daily News
Host
Jonathan Strickland
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
Las Culturistas with Matt Rogers and Bowen Yang
Ding dong! Join your culture consultants, Matt Rogers and Bowen Yang, on an unforgettable journey into the beating heart of CULTURE. Alongside sizzling special guests, they GET INTO the hottest pop-culture moments of the day and the formative cultural experiences that turned them into Culturistas. Produced by the Big Money Players Network and iHeartRadio.