Friday Digest #12: New WiFi Vulnerabilities
Hi, it's Simon from Top10VPN. I'm excited to take over from Sam this week to talk about our latest research, the discovery of two new WiFi vulnerabilities.
I published a report on Tuesday with details of two new vulnerabilities in open-source WiFi software found in almost all Android, Linux and ChromeOS devices.
This report was the end result of a months-long project we undertook with veteran researcher Mathy Vanhoef. Professor Vanhoef has an impressive track record in this area, which includes TunnelCrack, KRACK Attack and Dragonblood.
The new security flaws we found relate to how the affected software attempts the authentication process when a device joins a WiFi network.
One of the vulnerabilities allows attackers to trick their victims into automatically connecting to malicious clones of trusted Enterprise WiFi networks in order to intercept their traffic.
This security hole in the wpa_supplicant software (CVE-2023-52160) has a pretty significant impact as it potentially affects almost all the 2.3 billion Android devices in the world, along with Linux and ChromeOS machines.
The other vulnerability, in Intel's IWD software, (CVE-2023-52161) makes it possible to hack into a secure home WiFi network without needing the password. This flaw is Linux-only, limiting its impact in comparison.
The risks of such an attack, particularly to a small business using this kind of WiFi network rather than Enterprise mode, are significant and include interception of sensitive data, malware infections and ransomware attacks, along with the potential compromise of business email and passwords.
Watch this short video for demonstration by Prof. Vanhoef of how these security flaws can be exploited.
Prof. Vanhoef told me that the most significant aspect of the discovery is that it shows that "detecting and preventing protocol state bugs is still challenging".
"In our attacks, we abuse logical implementation flaws where parts of a handshake or protocol can be skipped, and it's still an open question of how to best detect and prevent such vulnerabilities," Prof. Mathy Vanhoef, security researcher.
So what should you do? ChromeOS devices are easy to deal with. A simple update to the latest version fixes the issue.
For Android users, though, the usual advice of making sure your OS is updated to the latest version won't cut it.
While the vulnerability in the wpa_supplicant software is now patched, the patched version needs to be included in an Android security update and actually rolled out, which, frustratingly, can take months or even years.
While this is far from ideal, the exploit only works when a very common misconfiguration is present. The proper configuration of WiFi clients is typically overlooked because it's more technical than most people are comfortable with, not to mention rather tedious too.
So, Android users should protect themselves while they wait for a security update by rolling their sleeves up and manually configuring the CA certificate of any saved Enterprise networks to prevent the attack.
The picture is more complicated for Linux users.
Intel releases frequent updates for IWD, so as long as the Linux machine is up-to-date, there should be nothing to worry about. However Linux users are reliant on their distribution (ie Debian, Ubuntu, Mint etc) providing a patched version of wpa_supplicant. This is not typically done by default, so maintainers will have to ensure the patch is backported into the provided wpa_supplicant version.
Given how murky the situation is even after the vulnerable software has been patched, it seems sensible to just generally use a VPN on any public WiFi network, as this will at least prevent an attacker from intercepting your internet traffic, as it will be encrypted.
VPN News
TechCrunch: Mozilla downsizes as it refocuses on Firefox and AI: Read the memo
Mozilla is undergoing significant organizational changes and is scaling back investments in various products including its VPN, Relay, Online Footprint Scrubber, and the mozilla.social Mastodon instance. These changes come after the installation of a new interim CEO and aim to consolidate resources, focusing on areas like AI/ML integration with Firefox and content discovery through Pocket.
Mullvad VPN: Email server audit
A security assessment conducted by Assured Security Consultants for Mullvad VPN found the overall security of their mail servers mail.mullvadvpn.net and mail2.mullvadvpn.net was good with only minor issues identified, none of which pose a major risk. The assessment found 2 medium, 3 low, and 3 note severity issues, recommending patches and reconfigurations to improve security further.
Security Week: Exploitation of Another Ivanti VPN Vulnerability Observed
Security researchers have begun to observe exploitation of a recently disclosed XML external entity (XXE) vulnerability in Ivanti enterprise VPN and network access products, identified as CVE-2024-22024. Despite patches being released for affected Ivanti products, proof-of-concept (PoC) exploits for the vulnerability were made public, leading to concerns about potential compromise and active exploitation of the flaw.
Internet Shutdown News
The Wire: Farmers' Protest: Internet Shutdown to Continue in 7 Haryana Districts, Key X Accounts Withheld
In India, the Haryana government extended an internet and bulk messaging ban in seven districts due to ongoing farmers' protests, while several X accounts related to the protest have been withheld. The Punjab and Haryana high court questioned the restrictions on farmers' right to movement and assembly, as legal actions and police measures aim to prevent protestors from reaching Delhi.
Amnesty International: Pakistan: Election-day internet shutdown is a reckless attack on people’s rights
Amnesty International criticized Pakistan's election-day internet shutdown as a violation of freedom of expression and peaceful assembly, highlighting the negative impact on people's ability to access information during the general elections amid security concerns and a crackdown on the opposition. The organization called for the immediate lifting of all blanket internet restrictions to ensure public access to timely election-related information and maintain trust in the authorities during this critical period.
Bloomberg: Musk’s Starlink Used by Sudan Paramilitary Group Amid Internet Blackout
Elon Musk's Starlink satellite internet service is being utilized by Sudan's paramilitary Rapid Support Forces (RSF) amid a nationwide internet blackout, complicating the humanitarian crisis during the country's 10-month civil war. The technology has been accessed by the RSF since August and is being imported through Chad and South Sudan,.
In Other News
TechCrunch: UK utility giant Southern Water says hackers stole personal data of hundreds of thousands of customers
Southern Water, a major UK utility company, confirmed a cyberattack in January that compromised personal data of up to 470,000 customers. The breach, claimed by the Black Basta ransomware group, involved sensitive information including dates of birth, national insurance numbers, and bank details, with the company working with cybersecurity experts to monitor for data exposure online.
The Verge: ChatGPT is getting ‘memory’ to remember who you are and what you like
OpenAI is introducing a "memory" feature to ChatGPT, enabling the AI to remember personal information and preferences shared by users across sessions, aiming for a more personalized and efficient interaction experience. While promising enhanced user experience by reducing repetitiveness, this development raises privacy concerns, though OpenAI assures users can manage and delete what ChatGPT remembers via settings, and even use a "Temporary Chat" mode for incognito interactions.
The Guardian: Explainer: what is Volt Typhoon and why is it the ‘defining threat of our generation’?
Volt Typhoon, identified by the FBI as a significant Chinese cyber operation, has compromised thousands of internet-connected devices, particularly within US critical infrastructure. This operation, active since mid-2021 and involving espionage and potential disruption of critical communications infrastructure, has prompted concerns over cybersecurity weaknesses and led to international and domestic efforts to mitigate the threats posed by these activities.
TechCrunch: Hackers uncover new TheTruthSpy stalkerware victims: Is your Android device compromised?
The consumer-grade spyware operation known as TheTruthSpy, which compromises the security and privacy of thousands of Android device users through mobile surveillance apps, remains an ongoing threat due to a simple, unpatched security flaw. Recently, two hacking groups discovered and exploited this flaw to access a vast amount of victim data stored on TheTruthSpy's servers, prompting TechCrunch to update its spyware lookup tool with 50,000 new Android device identifiers compromised by the spyware up to December 2023.
WIRED: A Backroom Deal Looms Over a High-Stakes US Surveillance Fight
Congressional leaders are privately discussing the future of Section 702, a controversial U.S. surveillance program, potentially sidelining popular privacy-focused reforms. There's widespread legislative support for pro-privacy reforms to Section 702, including new warrant requirements, but there are fears that these will be discarded in closed-door negotiations, mirroring past instances where pro-privacy amendments were removed from legislation at the last minute.
Top10VPN in the News
Bloomberg: Senegal Cuts Mobile Internet as Crackdown on Dissent Widens
Phoronix: New WiFi Authentication Vulnerabilities For Linux's IWD & WPA_Supplicant
Le Télégramme: Couper internet, nouvelle arme des régimes autoritaires [Paywall]
SecurityWeek: New Wi-Fi Authentication Bypass Flaws Expose Home, Enterprise Networks