p*******m 发帖数: 20761 | 1 你的wifi 分分钟被黑 我的路由电脑都补丁了你的呢?
US government announces that your Wi-Fi is vulnerable to hacks
By Paul Hill · 7 hours ago 30
Everybody’s internet is public today. WPA2, the go-to Wi-Fi security option
, has been cracked by Belgian researchers. The US Computer Emergency
Readiness Team (CERT) has issued a warning in response and is due to release
more details about the vulnerability later today. The warning issued is
stark, saying that almost all implementations are affected. Now there are
calls for a superseding WPA3 standard.
On the researchers' website, the attacking is decribed in the following way:
Concretely, attackers can use this novel attack technique to read
information that was previously assumed to be safely encrypted. This can be
abused to steal sensitive information such as credit card numbers, passwords
, chat messages, emails, photos, and so on. The attack works against all
modern protected Wi-Fi networks. Depending on the network configuration, it
is also possible to inject and manipulate data. For example, an attacker
might be able to inject ransomware or other malware into websites.
The researchers tested multiple devices to see whether the vulnerability
impacted them. Initial research shows that Android, Linux, Apple, Windows,
OpenBSD, MediaTek, Linksys, are among those that are affected by some
variant of the attack. The researchers urge users to update devices as soon
as possible, but in reality, many devices will never see such a patch.
Here's a demonstration of the exploit being used against an affected device:
The statement from US CERT reads:
“The impact of exploiting these vulnerabilities includes decryption, packet
replay, TCP connection hijacking, HTTP content injection and others … most
or all correct implementations of the standard will be affected.”
In response to the news, one person proposed two solutions to the problem;
the first option is for the Wi-Fi Alliance to be given a list of everything
that’s broken in WPA2 and let them fix it, issuing new specs for the
standard for software manufacturers to implement. The second option was the
creation of an un-official WPA3 without the help of the Wi-Fi Alliance.
The proposal for option two reads:
“Free Software community has a wide range of networking software that
enables manipulation of Wi-Fi traffic. While some of it can be used for
nefarious purposes, we could as well use it to sketch up a prototype of WPA3
and push for it to get adopted. If you’re interested, I encourage you to
contact the discussion boards for projects related to Wi-FI manipulation and
see if they’re interested in this. Some of the projects that are related
include: ScaPy, WPA supplicant, OpenWRT. There’s definitely more of them so
if you know them, let me know!”
Going forward, you will likely only be able to use WPA2 on your home devices
for quite a while. In the meantime you can mitigate attacks by connecting
to internet resources over secure protocols such as HTTPS and SSL. In order
to use SSL for things such as email, ensure that you’re using port 465 with
SMTP, as for HTTPS, it’s recommended that you install EFF’s HTTPS
Everywhere, this will force many more connections to use HTTPS than your
browser normally would and allows you to disable insecure traffic in your
browser entirely. |
|