New WiFi vulnerabilities open home, enterprise networks to attack

Two major flaws in open-source software could enable bad actors to break into password-protected home and enterprise WiFi networks. The vulnerabilities affecting WiFi networks were published in Top10VPN, with contributions from Mathy Vanhoef, a leading security researcher. The two flaws are separate, but together, open up many home and enterprise WiFi networks to attacks. Specifically, the security vulnerabilities allow for what are known as authentication bypass attacks. These would allow hackers to trick users into connecting to cloned versions of trusted networks, intercept their data, and join the real networks without a password.

How many devices are at risk from these WiFi network vulnerabilities?

The biggest flaw concerns wpa_supplicant v2.10 and lower, which is used by Android devices to connect to password-protected WiFi networks. Additionally, the researchers say that wpa_supplicant is also used to connect to WiFi networks in Linux and ChromeOS devices, so the vulnerabilities are far-reaching. According to the paper, this flaw will only affect devices that aren’t configured properly. However, the researchers add that many Android devices aren’t configured properly. They suspect that 2.3 billion Android users could be affected by this one security flaw.

The wpa_supplicant security issue only concerns enterprise networks (WPA2-E or WPA3-E), so home users need not worry. But considering how many businesses and schools use enterprise networks, it’s still an issue. The education sector seems particularly at risk since ChromeOS devices are extremely common there. Plus, students may be more likely to be duped by cloned WiFi networks, especially at younger ages. It’s also risky due to the fact that sensitive information is often secured by these enterprise networks.

The second vulnerability concerns the IWD software and affects home networks. However, it only puts Linux devices at risk, so not many users will be affected by this flaw.

How can you protect your devices?

These security issues have been reported. The wpa_supplicant bug is being tracked as CVE-2023-52160, and the IWD flaw is being tracked as CVE-2023-52161. Presumably, work is being done to patch these flaws immediately.

In fact, there are already some fixes for certain platforms. ChromeOS devices can be updated to version 118, which includes a fix for the wpa_supplicant bug. However, Android devices are still waiting for a fix, which will come in a subsequent Android security update. Until then, the researchers say that a CAT tool can be used to secure their devices. Linux users will need to wait for their preferred distro to release a patch for wpa_supplicant.