A new exploit can allow attackers to read Wi-Fi traffic between devices and wireless access points, and even modify it to inject malware into websites. Researchers have started disclosing security vulnerabilities today, and it looks like Android and Linux-based devices are the worst affected by multiple vulnerabilities. Researchers also claim some of the attack works against all modern Wi-Fi networks using WPA or WPA 2 encryption, and that the weakness is in the Wi-Fi standard itself so it affects macOS, Windows, iOS, Android, and Linux devices.
Intercepting traffic lets attackers read information that was previously assumed to be safely encrypted, and hackers don’t need to even crack a Wi-Fi password to achieve this. The vulnerability requires that a device be in range to a malicious attacker, and it can be used to steal credit card numbers, passwords, chat messages, photos, emails, and lots of other online communications.
Android 6.0 and above contains a vulnerability that researchers claim “makes it trivial to intercept and manipulate traffic sent by these Linux and Android devices.” 41 percent of Android devices are vulnerable to an “exceptionally devastating” variant of the Wi-Fi attack that involves manipulating traffic. Attackers might be able to inject ransomware or malware into websites thanks to the attack, and Android devices will require security patches to protect against this. Google says the company is “aware of the issue, and we will be patching any affected devices in the coming weeks.”
Although most devices appear to be vulnerable to attacks reading Wi-Fi traffic, the exploit doesn’t target access points. The attack exploits vulnerabilities in the 4-way handshake of the WPA2 protocol, a security handshake that ensures client and access points have the same password when joining a Wi-Fi network.
As this is a client-based attack, expect to see a number of patches for devices in the coming weeks. Researchers sent out notifications to specific vendors in July, and a broad notification was distributed in late August. Security researchers note that it’s not worth changing your Wi-Fi password as this won’t help prevent attacks, but that it’s worth updating router firmware and all client devices to the latest security fixes. “It might be that your router does not require security updates,” say researchers, but it’s worth checking with your router vendor to make sure.
Update, 8AM ET: Article updated with a statement from Google.
Comments
Good luck with that. Literally.
By DJ CERLA on 10.16.17 6:06am
Nobody cares…. my friend, otherwise people would have bought Pixel or iPhone only.
By Piyush Rathod on 10.16.17 6:18am
I care and I bought an iPhone
By tomkupper on 10.16.17 6:24am
Good for you, but everyone don’t have that kind of money. I hope Android One has success in developing countries.
By Piyush Rathod on 10.16.17 7:11am
Probably safer if you purchase a Pixel if security is important. This was written by Google and just one example.
https://googleprojectzero.blogspot.com/2017/09/over-air-vol-2-pt-1-exploiting-wi-fi.html
It is three parts but highly recommend reading.
By jacksmith21006 on 10.16.17 7:23am
I wouldn’t recommend reading that. Both Google and Apple fixed it in April.
It’s now irrelevant.
By Prone2Anxiety on 10.16.17 7:50am
This really and truly is a horrible fake news kind of title. I say that because reading the title alone an IOS/windows/Chromebook user might think they are fine and move on but that is not the case at all. Even the comments made so far demonstrate that.
This is a protocol issue. Whatever logo is on your stuff doesn’t stop it from effecting you.
By Mathow on 10.16.17 7:40am
Chromebooks, Windows and iOS devices can be patched in matter of weeks. Not the same can be said about Android phones which OS features like Wi-Fi can’t be upgraded
By Gabriel Hernandez6 on 10.16.17 9:44am
I don’t know what you’re talking about. I get monthly security updates for my Android phone. Also, this might be fixed automatically behind the scenes with a play services update that Google can push to phones.
By bazaal on 10.16.17 12:06pm
Are you aware that most of Android users are not in your lucky situation or you’re just trolling?
By nicolaramoso on 10.16.17 12:27pm
Are there OEM’s that aren’t pushing the monthly security updates from Google on 6.0 and up?
By storm24k on 10.16.17 1:42pm
Yes lol.
By Kiko0007 on 10.16.17 2:26pm
What manufacturer is that?
By foremi on 10.16.17 3:06pm
Almost all of them, Motorola, LG, Huawei, and Samsung all have major phones not receiving security updates
By John Ca on 10.16.17 3:31pm
Samsung? I have friends on cheaper Sammy devices and they have never received an update.
By StevenRN on 10.16.17 3:23pm
Depends if they can patch it through Play Services. If so it will be rolling out automatically to many devices.
Otherwise, they’re effed.
By badstars on 10.16.17 6:48am
OS based patches don’t work through the Play Store.
By Daniel Su on 10.16.17 7:17am
Part of it is terminology. Google has put some things that you would normally think are in the OS into Google Play Services. It is Play Service and NOT Play Store. Common mistake.
So yes there are security issues that can be resolved with running the latest Play Services. NOT all but some. Over 95% of Android phones are on the latest version of Play Services.
But if security is really important then I would use a Pixel as Google is really the leader in security.
https://googleprojectzero.blogspot.com/2017/09/over-air-vol-2-pt-1-exploiting-wi-fi.html
By jacksmith21006 on 10.16.17 7:25am
The Broadcom vulnerability has nothing to do with todays revelation.
And while we’re in full spin mode, Android was affected by it as well.
By Prone2Anxiety on 10.16.17 7:53am
You sent the same link above and been informed that both Apple and Google fixed it in April. Your comment is irrelevant.
By I am not Spartacus on 10.16.17 7:55pm
Not yet. Via some digging done by XDA, the Pixel 2 and 2 XL seem to have had their GPU drivers packaged as an APK (Project Treble related improvements), so we could be on the way to eventually seeing a complete separation of underlying OS from "system update" hell.
By GambaKufu on 10.16.17 9:46am
As noted, not Play Store.
By badstars on 10.20.17 6:11am
i agree, I have a Android 5.0 Sony Xperia M4 Aqua and my 18 month contract ends until March 2018, so not planning to upgrade to Nougat until then. is Google responsibility to patch my device using Play services, it’s not a carrier or vendor issue. Crap I have my banking application is Android really so insecure?
By Gabriel Hernandez6 on 10.16.17 8:38am
Android is no more or less secure than any other operating system with this bug. The potential security problem is if Sony do not patch it.
And the 41% of Android devices are all running 6.0 or higher, so you’re safe.
As far as banking – if your bank is transmitting your information over insecure HTTP connections then whether or not this flaw is fixed, you have bigger problems.
By GambaKufu on 10.16.17 10:34am
Still not going with an iphone. And for something like this, there will be expedited security patches for the major phone makers, like samsung.
By Alar's Ashes on 10.16.17 7:06am