The Wi-Fi Alliance has finally announced the long-awaited next generation of the wireless security protocol—Wi-Fi Protected Access (WPA3).
WPA3 will replace the existing WPA2—the network security protocol that has been around for at least 15 years and widely used by billions of wireless devices every day, including smartphones, laptops and Internet of things.
However, WPA2 has long been considered to be insecure due to its common security issue, that is “unencrypted” open Wi-Fi networks, which allows anyone on the same WiFi network to intercept connections on other devices.
Most importantly, WPA2 has also recently been found vulnerable to KRACK (Key Reinstallation Attack) that makes it possible for attackers to intercept and decrypt Wi-Fi traffic passing between computers and access points.
The new standard of Wi-Fi security, which will be available for both personal and enterprise wireless devices later this year, offers improved security and privacy.
- WPA3 protocol strengthens user privacy in open networks through individualised data encryption.
- WPA3 protocol will also protect against brute-force dictionary attacks, preventing hackers from making multiple login attempts by using commonly used passwords.
- WPA3 protocol also offers simplified security for devices that often have no display for configuring security settings, i.e. IoT devices.
- Finally, there will be a 192-bit security suite for protecting WiFi users’ networks with higher security requirements, such as government, defence and industrial organisations.
“Wi-Fi security technologies may live for decades, so it’s important they are continually updated to ensure they meet the needs of the Wi-Fi industry,” said Joe Hoffman, SAR Insight & Consulting. “Wi-Fi is evolving to maintain its high-level of security as industry demands increase.“
Since hardware must get certified by the Wi-Fi Alliance to use WPA3 security protocol, the new security standard won’t arrive overnight.
It could take months for device manufacturers to support the new wireless security standard, but the first WPA3-certified devices are expected to ship later this year. More details about WPA3 have yet to be released.
The Apple iOS has a new unpatched vulnerability – and we’re not just talking about the KRACK vulnerability that hit about everyone using WiFi. The latest vulnerability was uncovered during a Tokyo hackathon by a team from Tencent’s Keen Lab. What’s this Apple iOS vulnerability all about? Their hack of the latest iOS used WiFi […]
The post Apple iOS and Wifi – more open to the world than you might think appeared first on Avira Blog.
KRACK headlines are everywhere – all WiFi communication is at risk now that a researcher has figured out how bypass WPS2 – the world’s most popular encryption algorithm.
The post The WPA2 security issue: Time to un-KRACK your WIFI appeared first on Avira Blog.
If you think KRACK attack for WiFi is the worst vulnerability of this year, then hold on…
…we have got another one for you which is even worse.
Microsoft, Google, Lenovo, HP and Fujitsu are warning their customers of a potentially serious vulnerability in widely used RSA cryptographic library produced by German semiconductor manufacturer Infineon Technologies.
It’s noteworthy that this crypto-related vulnerability (CVE-2017-15361) doesn’t affect elliptic-curve cryptography and the encryption standard itself, rather it resides in the implementation of RSA key pair generation by Infineon’s Trusted Platform Module (TPM).
Infineon’s Trusted Platform Module (TPM) is a widely-used, dedicated microcontroller designed to secure hardware by integrating cryptographic keys into devices and is used for secured crypto processes.
This 5-year-old algorithmic vulnerability was discovered by security researchers at Masaryk University in the Czech Republic, who have released a blog post with more details about the weakness as well as an online tool to test if RSA keys are vulnerable to this dangerous flaw.
ROCA: Factorization Attack to Recover Private RSA Keys
Dubbed ROCA (Return of Coppersmith’s Attack), the factorization attack introduced by the researchers could potentially allow a remote attacker to reverse-calculate a private encryption key just by having a target’s public key—thanks to this bug.
“Only the knowledge of a public key is necessary and no physical access to the vulnerable device is required,” the researchers said. “The vulnerability does NOT depend on a weak or a faulty random number generator—all RSA keys generated by a vulnerable chip are impacted.”
This could eventually allow the attacker to impersonate key owner, decrypt victim’s sensitive data, inject malicious code into digitally signed software, and bypass protections that prevent accessing or tampering with the targeted computer.
ROCA Attack Exposes Billions of Devices to Attack
The ROCA attack affects chips manufactured by Infineon as early as 2012 and is feasible for key lengths, including 1024 and 2048 bits, which is most commonly used in the national identity cards, on PC motherboards to securely store passwords, in authentication tokens, during secure browsing, during software and application signing, and with message protection like PGP.
The flaw also weakens the security of government and corporate computers protected using Infineon’s cryptographic library and chips.
Majority of Windows and Google Chromebook devices developed by HP, Lenovo and Fujitsu are amongst those affected by the ROCA attack.
“We found and analyzed vulnerable keys in various domains including electronic citizen documents, authentication tokens, trusted boot devices, software package signing, TLS/HTTPS keys and PGP,” the researchers said.
“The currently confirmed number of vulnerable keys found is about 760,000 but possibly up to two to three magnitudes more are vulnerable.”
More Details, Testing Tool, and Patches
The security researchers have released a brief blog post about the flaw, which includes a number of tools for detection, mitigation and workarounds.
The vulnerability was discovered and reported to Infineon Technologies in February this year and the researchers will present their full findings, including the factorization method, on November 2nd at the ACM Conference on Computer and Communications Security.
Their research paper, titled “The Return of Coppersmith’s Attack: Practical Factorization of Widely Used RSA Moduli” (ROCA), will also be released after their presentation.
So, companies and organisations have enough time to change affected encryption keys before the details of how this vulnerability works and could be exploited are released.
Major vendors including Infineon, Microsoft, Google, HP, Lenovo, and Fujitsu have already released the software updates for their relevant hardware and software as well as guidelines for a mitigation of this vulnerability.
“Some Windows security features and potentially third-party software rely on keys generated by the TPM (if available on the system),” according to a Microsoft advisory. “Microsoft is releasing Windows security updates to help work around the vulnerability by logging events and by allowing the generation of software based keys.”
Therefore, users are strongly recommended to patch their devices as soon as possible—AGAIN!
Powered by WPeMatico
It’s the end of roaming charges, at least for people in the EU, as the European Commission on June 15 rolled out its latest rendition of the “Digital Single Market”. It’s a question if and how lower tariffs for data, text messages, and phone calls will reduce the allure of insecure free WiFi hotspots. The […]
Connecting to public Wi-Fi networks can get us out of a jam… and also get us into one! Use these 10 security tips and surf the web carefully.