A new vulnerability in the Wi-Fi Protected Access II (WPA2) protocol has been detailed.
“The weaknesses are in the Wi-Fi standard, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected,” said Vanhoef.
“Users must update affected products as soon as security updates become available. We discovered that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others are all affected by some variant of the attacks.”
Vanhoef said attackers in range of the same Wi-Fi network as you could exploit the vulnerability to steal sensitive information.
Depending on the network configuration, it is also possible to inject malware and manipulate data.
Android and Linux
The attack is “exceptionally devastating” against Linux and Android 6.0 or higher, said Vanhoef.
This is because Android and Linux use the same Wi-Fi client software, known as wpa_supplicant. Versions 2.4 and above of the software can be tricked into installing an all-zero encryption key.
“This vulnerability appears to be caused by a remark in the Wi-Fi standard that suggests to clear the encryption key from memory once it has been installed for the first time.”
“When the client now receives a retransmitted message 3 of the 4-way handshake, it will reinstall the now-cleared encryption key, effectively installing an all-zero key.”
Vanhoef said his proof-of-concept attacks do not recover the password of the Wi-Fi network, nor do they recover any parts of the fresh encryption key that is negotiated during the 4-way handshake.
MikroTik routers fixed
Ubiquity said it has a patch in beta for its routers, while MikroTik said its RouterOS v6.39.3, v6.40.4, and v6.41rc are not affected.
“All implemented fixes refer only to station and [Wireless Distribution System] modes. Devices running on AP mode are not affected,” said MikroTik.
MikroTik said not all of the discovered vulnerabilities impact RouterOS, but added that it followed all recommendations and improved the key exchange process according to the guidelines it received from the security researcher.
“We released fixed versions last week, so if you upgrade your devices routinely, no further action is required,” said MikroTik.