Severe near universal WiFi flaw might make you want a VPN – wait
You may have heard about the WPA2 authentication flaw that allows attackers to intercept and decode anything on your private network. If not, ARS Technica has a great writeup of it here.
The easy way to understand this is someone (router) trying to give you their phone number (long encryption key) to memorize while you’ve got someone next to you singing “beachwood 45789” – the hack works by interrupting you and pushing a key they know how to decrypt into the mix by claiming you didn’t get it.
This may leave you thinking that perhaps you should get a VPN. I’m sure several sites are now saying to protect yourself via this method. I’d like to sell you that VPN and make roughly 50% commission, but I’m not going to advise it as a response to this flaw.
It’s fairly important to realize that the WiFi flaw allows you to decrypt any traffic that flows over WiFi, however it does not allow you to decrypt encrypted data that flows at the next layer. Think of it as being able to see anything that passes along a tube between a device and a router, now connect to an SSL and you’re still seeing those packets but now they’re encrypted.
SSL wasn’t busted, just a method was found during a four-handshake process of wifi in which you could bounce a connection off and force an encryption key to be used that as an attacker you’re aware of.
This means any attacker can grab all the back and forth chatter, but only unencrypted requests will be easily visible, and the SSL and HTTPS requests will all be gobbledygook. They’re not just passing your bank password back and forth unencrypted.
Now you may be wondering, since we have all the data as we’re logging everything, couldn’t we just replay the SSL/HTTPS handshake and figure out the data inside it? Maybe. They’d probably have to have some more information (RSA fingerprint?) which they might be able to grab if they can execute a man in the middle as well as snooping (or are there when you’re initially setting up the device). Breaking SSL would be a different ballgame.
Wouldn’t it make sense to have a VPN scrambling communications as well? Could be probably be unscrambled as well. Same as SSL.
How about we just use cell data? Stingrays can do the same thing.
Is there any hope?
Cash in a box under the mattress. Guns, lots of them.
Actually if you’re going to go the VPN route, Speedify might protect you if it’s set up right. It can tunnel traffic via data network and WiFi at the same time. A compromised WIFi connection wouldn’t have all the data so a snooper would have a whole lot of useless multiply encrypted data.
Or connect to a VPN on cell data, then switch over to WiFi. As long as the VPN is smart enough it should get the encryption key on network 1, then carry it over to network 2. Plenty of free VPNs if you want to try this route.
Any VPN that stores a key and takes it with you after initial setup and doesn’t negotiate a new key every time.
That said, patches to every single thing are being written right now to patch this key injection attack. It’s been known since May but disclosed yesterday after giving companies months to fix it.
So maybe just stay off of doing anything on a WiFi you don’t know if it’s been patched for a bit. As a snooper can grab cookies, impersonate your login, etc. Even your own WiFi can be compromised if you’ve got a neighbor who’s really attempting to break into your data.
It’s a huge flaw, but there are no known exploits in the wild yet, and it really only can pull unencrypted traffic at the moment.
So panic, but not a lot. Just skip mobile banking on the coffee shop wifi if possible, and if you’re on a social or dating site make sure the login page is already in SSL or you could end up like thousands of dating site subscribers did a couple of years back.
Or you know, panic a lot and make me some of the VPN referral cash. That would be sweet.