New Attack Targets Flaw in WiFi Standard
Hi, it’s Simon Migliano here from Top10VPN. Don’t worry, you haven’t somehow lost a day, I just couldn’t wait until Friday to share my latest research report about a new WiFi vulnerability with you.
I published the report on Tuesday about the new “SSID Confusion” attack that exploits a flaw in the WiFi standard itself.
In writing this report, I had the privilege of working again with Mathy Vanhoef, the CompSci professor at KU Leuven in Belgium who’s responsible for discovering some of the biggest WiFi and VPN vulnerabilities of recent years.
We know about TunnelCrack, Dragonblood, KRACK Attack and Kr00k thanks to the work of Prof Vanhoef, along with the WiFi vulnerabilities we shared earlier this year.
This new flaw (CVE-2023-52424) allows an attacker to trick a victim into connecting to a different network with a spoofed network name (SSID), if there is credential reuse, leaving them vulnerable to traffic interception, malware or additional attacks.
Worryingly, the attack abuses the auto-disconnect feature of some VPN software, which automatically disables the VPN connection when the device connects to a predefined “trusted” WiFi network.
A common scenario is where there is a different SSID per frequency band, ie a 2.4GHz network and a 5GHz network with the same owner and a shared password.
Another threat model is where a trusted local university Wi-Fi network and an untrusted eduroam WiFi network use the same credentials.
For those of you unfamiliar with eduroam, it’s the international roaming service that allows students, researchers, and staff to get WiFi access when visiting other campuses by connecting to the eduroam WiFi network using the same credentials as their home institution.
Unfortunately the convenience that’s baked into eduroam is what makes it vulnerable to the SSID Confusion attack.
Who is affected? While any device with WiFi capabilities is vulnerable, fortunately not every type of network is affected.
Worst affected are the Enterprise and Mesh networks typically used by businesses, educational institutions and in public spaces, but home networks can also be vulnerable, depending on what authentication protocol is used.
Fortunately for home WiFi users, most of us are still using WPA2, which is not vulnerable, despite the 2018 release of WPA3, which is affected.
Watch this short video for demonstration by Prof. Vanhoef of how these security flaws can be exploited.
So what should you do? The root cause of this security flaw is not a software vulnerability. Instead, it’s that the IEEE 802.11 standard underpinning how WiFi works does not require the network name (SSID) to always be authenticated.
Unfortunately, this means that the vulnerability had to be reported to the WiFi Alliance, which is a non-profit unlike most software developers. While this body does wonderful and valuable work, the way it works means that updates to the WiFi standard can take years to be implemented.
In the meantime, the best thing to do is to avoid credential re-use across SSIDs. Enterprise networks should use distinct RADIUS server CommonNames, while home networks should use a unique password per SSID.
Regularly using a VPN when connecting to WiFi can also greatly mitigate the consequences of this attack by encrypting your traffic, preventing interception. However, the VPN must stay active at all times, even on trusted networks. If your VPN has the auto-disable feature, do not use it.
What We’ve Been Reading
VPN News
PCWorld: Microsoft’s patch fixes the update that broke VPNs on Windows
Microsoft has released a new update to fix a previous bug that caused VPNs to malfunction on Windows 10 and 11. While this VPN issue has been resolved, Microsoft has not yet provided an official explanation for the cause of the bug and another issue regarding changing user account profile pictures remains unaddressed.
9to5Google: Google One VPN shuts down on June 20, Pixel updates coming
Google has announced that the VPN by Google One will be discontinued on June 20, 2024. While Google One VPN is shutting down, Google Fi will continue to offer its VPN service, and Pixel phones, starting with models Pixel 7 through Pixel Fold, will receive an update to include built-in VPN functionality.
Artificial Intelligence
ArsTechnica: Android’s AI era includes eavesdropping on phone calls, warning you about scams
At Google I/O, Google announced the integration of AI into Android with features like Gemini, which can eavesdrop on phone calls to alert users about potential scams, and interact with various forms of media to perform a variety of tasks. These AI capabilities operate entirely on-device and are opt-in but raise significant privacy concerns due to the potential for intrusive monitoring.
WIRED: I Am Once Again Asking Our Tech Overlords to Watch the Whole Movie
OpenAI's CEO Sam Altman has introduced the new AI model, GPT-4o, which is designed to mimic human conversation and includes enhancements like faster response times and improved memory. The AI's capabilities are inspired by the film "Her" and although it’s intended to make interactions seem more human-like, it also raises concerns about the ethical implications and potential privacy issues of AI.
Business Insider: Meta is using your Instagram and Facebook photos to train its AI models
Meta has announced that it’s using publicly available photos and texts from Instagram and Facebook to train its AI text-to-image generator, Emu, focusing solely on content that users have chosen to share publicly.
App Updates
Rest of World: Despite international hires, TikTok is Chinese at its core
TikTok’s core decisions and operations are predominantly influenced by its Chinese parent company, ByteDance, according to reports from current and former employees. This deep interconnection complicates TikTok's autonomy and may potentially limit potential divestiture prospects.
The Register: Encrypted mail service Proton hands suspect's personal info to local cops
Despite its claims of high privacy standards, encrypted email service Proton Mail has once again provided user data to law enforcement, this time supplying Swiss police with a suspect's recovery email address linked to support for Catalonian separatists, which ultimately led to identification and arrest with the help of Apple.
Apple: Apple and Google deliver support for unwanted tracking alerts in iOS and Android
Apple and Google have collaborated to develop a new industry specification that enables both iOS and Android devices to alert users if a Bluetooth device is being used to track them without their knowledge. This feature, implemented in iOS 17.5 and Android 6.0+ devices, aims to prevent the misuse of tracking devices and enhance user privacy.
9to5Linux: Mozilla Firefox 126 Is Now Available for Download, Here’s What’s New
Mozilla Firefox 126 introduces several significant updates including Zstandard (zstd) compression for web content, AV1 hardware decode acceleration for macOS on M3 Macs, and enhanced privacy features like updated "Copy Without Site Tracking" which blocks tracking parameters in URLs.
Digital Rights
Access Now: Shrinking Democracy, Growing Violence: Internet shutdowns in 2023
The 2023 report by Access Now and the #KeepItOn coalition documented an unprecedented number of internet shutdowns with 283 incidents in 39 countries. The report, which uses a slightly different methodology to our Cost of Internet Shutdowns research, identifies conflicts as the primary trigger for shutdowns, which are increasingly being used by governments to obscure human rights abuses.
Open Democracy: Revealed: ‘Wild West’ for personal data undermines UK human rights
A year-long investigation by openDemocracy has revealed significant failures by UK public authorities in complying with data protection laws, particularly in handling Subject Access Requests (SARs).
The New York Times: Violent Unrest Over Economic Strife Erupts in Pakistan’s Kashmir Region
Massive protests have erupted in Pakistan-controlled Kashmir due to soaring electricity bills and flour prices. In response to the unrest, the government has suspended internet services, closed schools, and planned to deploy paramilitary troops, though ongoing talks have delayed that decision.
WIRED: Secrecy Concerns Mount Over Spy Powers Targeting US Data Centers
Concerns have escalated regarding the expanded surveillance powers granted to the NSA, which now enable the agency to compel virtually any U.S. business to assist in wiretapping communications. Digital rights groups are urgently pressing U.S. officials to declassify details about these expanded powers, fearing that the broad definition could lead to widespread, warrantless surveillance of American companies.
Forbes: New Police Tech Can Detect Phones, Pet Trackers And Library Books In A Moving Car
The Leonardo ELSAG EOC Plus, a new technology developed by Italy-based Leonardo, enables police to scan moving vehicles for electronic devices, creating unique "fingerprints" of drivers and passengers based on the devices within their vehicles. This technology, which can detect specific models of devices, could be used to track individuals without their knowledge.