Can The Latest Wi-Fi Security Bug Be Patched?
Another week, another digital security breach. Researchers in Belgium exposed a bug in Wi-Fi Protected Access II, or WPA2, the industry-adopted standard that is used to secure and encrypt all modern Wi-Fi networks. Security reporter Dan Goodin of Ars Technica talks about how the bug could make you vulnerable to hackers … and how it can be fixed.
Dan Goodin is Security Editor for Ars Technica. He’s based in San Francisco, California.
IRA FLATOW: And now it’s time to play Good Thing, Bad Thing. Because every story has a flip side, a new security breach seems to happen every week, right? Another day, another patch, one of the costs of living a digital life. Well this week, researchers reveal the vulnerability in the protocol that protects your Wi-Fi connection.
They exposed a bug in the WPA2 protocol, if you want to get technical. It’s not a device or a program, but the underlying security that is built into all modern wireless networks. Before you panic, all hope is not lost. Dan Goodin is here to break down this latest security issue. Dan is the security editor at Ars Technica based out of San Francisco. Welcome to Science Friday.
DAN GOODIN: Great to be here, Ira.
IRA FLATOW: So that WPA2 protocol, isn’t that the place where I enter my secret code to my router that you need to enter if you want to use it?
DAN GOODIN: That’s right. That’s right. That’s the Wi-Fi password that you need to get from a few handful of you know Wi-Fi cafes that actually use a password to protect their Wi-Fi network.
IRA FLATOW: So what went wrong here?
DAN GOODIN: Well, it turns out that there has been lurking in this protocol the ability for an attacker to cause the Wi-Fi router to reissue a key over and over again. And when this key gets issued a second or third time, it reuses what’s known as a cryptographic nonce. A cryptographic nonce is the device that adds some randomness to things.
And so it’s never ever ever supposed to be used more than once. And if you can get somebody to reissue this key and use it a second or third time, the key no longer is secret. And this allows an attacker to in theory and on certain platforms at least completely bypass the very, very otherwise strong encryption that WPA2 provides.
IRA FLATOW: Is there any WPA2 protocol type that’s more vulnerable than the other?
DAN GOODIN: Well, there are certain operating systems where the vulnerability is particularly bad. So you know, a lot of people have Android phones. And it turns out that because of the specific way that WPA2 is implemented, not only in Android but also in Linux from which Android is derived, it’s particularly bad there. They can actually cause you to install a key of the attacker’s choice and just completely bypass everything, inject malware into like a website that somebody is visiting. It’s not quite as bad on some of the other platforms, you know, Windows.
IRA FLATOW: There’s got to be some good news. Can we patch it? Can we take care of it?
DAN GOODIN: Yeah, there is. There’s definitely some good news. First of all, yes, it can be patched. Windows actually patched it last week. You know Microsoft and anyone who is updated on all of their Windows patches is already, that particular machine is not vulnerable to it. Their Wi-Fi network may still be. We’re expecting Apple to patch iOS and Mac OS very, very soon and other routers and OS’s should be patched pretty soon.
The other reason that we shouldn’t despair too much is that most apps that people’s smartphones are using, as well as many, many websites that people are visiting, you know, , regularly you know, ScienceFriday.com included already use encryption. They use something called know HDTPS or TLS encryption. And that means that as long as those sites are doing the encryption correctly, they’re not going to, the attacker is not going to be able to tamper with that particular traffic.
IRA FLATOW: Well, thank you, Dan, for filling us in on this. Dan Goodin, Security Editor at Ars Technica.