The Singapore Computer Emergency Response Team (SingCert) has issued an alert following the discovery of major security flaws that puts every Wi-Fi user at risk.
The flaws put all devices at risk worldwide, including every Internet user in Singapore.
According to SingCert, these vulnerabilities may affect may affect the data confidentiality of users’ Wi-Fi connectivity in homes and offices. Officials figures reveal that there are more than 11 million homes, offices, cafes and public locations here using or providing Wi-Fi connections.
“The flaws affect nearly every device that uses Wi-Fi. These include routers, smartphones, computers and surveillance cameras,” said SingCert. The attacker can exploit the vulnerabilities to monitor, inject and manipulate users’ network traffic,” the agency noted.
The alert follows Monday’s confirmation of the flaws by the United States Homeland Security’s cyber-emergency unit US-Cert. SingCert, a unit of Singapore’s Cyber Security Agency, which coordinates the nation’s response to cyber threats and attacks released several guidelines on how to stay safe from these attacks.
Guidelines on how to stay safe
• Patch your Windows machines now. Microsoft released a patch for the Wi-Fi flaws in its Oct 10 Windows update. The current beta versions of Apple’s iOS, tvOS, watchOS and macOS operating systems also come with the security fix.
• Surf only encrypted (https) webpages. Similarly, website owners should also encrypt their webpages. An attacker might inject malware into unencrypted websites.
• Do not send confidential details over public Wi-Fi networks.
• Use virtual private network (VPN) services, available online or from Internet service providers, to add an extra layer of security.
• Do not visit or install software from unknown websites.
• Unplug any unpatched Wi-Fi device, such as webcams, if the Wi-Fi signal of your router extends into the public space. An attacker within the Wi-Fi range can carry out nefarious exploits.
Apparently about two months ago, The United States warned vendors of the problem so they would have time to roll out patches before the problem became public. However, despite these efforts, billions of devices remain unpatched.
An exploit dubbed Krack (Key Reinstallation Attack) exposes what is said to be the first critical vulnerabilities in WPA2, a common authentication method.
The 14-year-old WPA2 protocol secures the Wi-Fi connection between a router and a computer or Internet device. A researcher at Belgium’s University of Leuven, Mathy Vanhoef, who discovered the flaw, said in a research paper published online this week that a hacker could hijack unencrypted conversations and exchanges over the Wi-Fi connection. “The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations,” he wrote in the paper.
“To prevent the attack, users must update affected products as soon as security updates become available.”
There have been no reports of these flaws being exploited so far. An attacker must also be within the Wi-Fi range to carry out nefarious exploits. SingCert has advised users to check with their vendors on the availability of security patches and apply them as soon as possible.
Microsoft released a software fix for the Wi-Fi flaw in its Oct 10 Windows update, while the current beta versions of Apple’s iOS, tvOS, watchOS and macOS operating systems also come with the security fix. Other vendors, such as Google, are still creating security patches for their devices, and are expected to release them in the coming weeks.
Some security experts said that using a patched device provides enough protection – even if the Wi-Fi router is not patched.
Dr Gary McGraw, vice-president of security technology at US-based software engineering firm Synopsys, said design flaws are harder to fix than a software bug, which is more common.
“That is (also) why Krack is so pervasive across chips and platforms, affecting many manufacturers worldwide.”
As security software patches for routers, webcams and TVs are harder to apply, Jason Kong, co-founder of Singapore-based network security firm Toffs Technologies, said Internet service providers (ISPs) should set up help desks and provide software update packages for customers.
“For peace of mind, users should also subscribe to virtual private network services available online or from ISPs.”