Summary
Two major flaws in open-source software could enable bad actors to break into password-protected home and enterprise WiFi networks. The vulnerabilities affecting WiFi networks were published in Top10VPN, with contributions from Mathy Vanhoef, a leading security researcher. The two flaws are separate, but together, open up many home and enterprise WiFi networks to attacks. Specifically, the security vulnerabilities allow for what are known as authentication bypass attacks. These would allow hackers to trick users into connecting to cloned versions of trusted networks, intercept their data, and join the real networks without a password.
- Approximately 2.3 billion Android users worldwide are at risk from major flaw in the wpa_supplicant software used by Android devices to connect to password-protected WiFi networks – but particularly users in Enterprise, Small Business and Education environments.
- The second vulnerability concerns the IWD software and affects home networks. However, it only puts Linux devices at risk, so not as many users will be affected by this flaw. Home users should note, however, that many Smart Home appliances – such as AndroidTV boxes and home. hubs – run on Linux.
The Details
CVE-2023-52160: Affects 2.3 billion Android users
The biggest flaw concerns wpa_supplicant v2.10 and lower, which is used by Android devices to connect to password-protected WiFi networks. Additionally, the researchers say that wpa_supplicant is also used to connect to WiFi networks in Linux and ChromeOS devices, so the vulnerabilities are far-reaching. According to the paper, this flaw will only affect devices that aren’t configured properly. However, the researchers add that many Android devices aren’t configured properly. They suspect that 2.3 billion Android users could be affected by this one security flaw.
This vulnerability could allow bad actors to trick users into connecting to cloned versions of trusted networks, intercept their data, and join real networks without a password. The flaw specifically affects devices that are not configured properly, which is a common occurrence among Android devices. While the vulnerability only concerns enterprise networks (WPA2-E or WPA3-E), it still poses a risk due to the widespread use of enterprise networks in businesses and schools, especially in the education sector where ChromeOS devices are prevalent.
The education sector seems particularly at risk since ChromeOS devices are extremely common there. Plus, students may be more likely to be duped by cloned WiFi networks, especially at younger ages. It’s also risky due to the fact that sensitive information is often secured by these enterprise networks.
CVE-2023-52161: Affects Linux and Chrome Devices Widely Used In Businesses, Schools and Enterprise Networks
The second vulnerability concerns the IWD software and affects home networks, and is different in that it allows an adversary to gain full access to an existing protected WiFi network, exposing existing users and devices to attack.
The risks of such an attack, particularly to a small business using this kind of WiFi network, are significant and include:
- Interception of sensitive data
- Malware infections
- Ransomware attacks
- Business email compromise
- Password theft
However, it only puts Linux devices at risk, so not as many users will be affected by this flaw. Home users should note, however, that many Smart Home appliances – such as AndroidTV boxes and home. hubs – run on Linux.
How can you protect your devices?
Both vulnerabilities were reported to vendors, have been patched and are available as part of their public code repositories. The usual advice about updating software and operating systems applies with IWD, as it releases frequent updates. However, the OS you are using will determine how straightforward it is to make sure your devices are secured against the wpa_supplicant
vulnerability.
- ChromeOS users can simply update to the latest version as it has been patched since at least version 118.
- Linux users however are reliant on their distribution providing a patched version of
wpa_supplicant
. This is not typically done by default, so maintainers will have to ensure the patch is backported into the providedwpa_supplicant
version. - Android users unfortunately must wait on a new Android security update that includes the
wpa_supplicant
patch. This can unfortunately take a long time, from several months up to even years. In the meantime, it’s critical therefore that Android users manually configure the CA certificate of any saved Enterprise networks to prevent the attack. - University students and staff connecting to eduroam can also can use the CAT tool to securely configure Android. On the latest Android devices, it’s also possible to use Trust-on-First-Use (TOFU) to automatically trust the CA certificate when connecting to the network for the first time.
- A sensible precaution would also be to clean up any unused WPA2/3 enterprise networks and to toggle off automatic reconnection for any regularly used networks of that type.
Or Protect Your Networking and Data
While all of these steps – and others for good ‘cyber-hygiene’ are important – they are also typically burdensome and difficult for small business and home users to implement and maintain. All the while, the next vulnerability waiting to be exploited is just around the corner.
This is why most experts recommend that as an additional defense habitually using a VPN for public WiFi networks. These will at least prevent an attacker from intercepting your internet traffic, as it will be encrypted. However, VPNs themselves have widely known architectural flaws that make them vulnerable to hacking, and only protect your data while in transit.
Faction Networks eliminate the vulnerabilities VPNs to protect your networkin and data easily in a totally decentralized, encrypted Zero Trust Faction Personal Private Network (PPN) visible, accessible and controlled only by you. Faction Pods also enable users to secure smart and dumb devices – like printers, cameras, storage drives, UPS (Uninterruptible Power Supply) – which VPNs and Firewalls cannot protect by taking them OFF the Internet and into your Faction PPN.
Learn More
Use our KEV Search Tool:
- CVE-2023-52161
- CVE-2023-52161