Major Wi-Fi security flaw affects billions worldwide, including almost every Internet user in Singapore

[SINGAPORE] Major security flaws just discovered in Wi-Fi devices have put billions at risk worldwide, including almost every Internet user in Singapore.

Issuing the alert on Tuesday afternoon (Oct 17), the Singapore Computer Emergency Response Team (SingCert) said: "These vulnerabilities may affect the data confidentiality of users' Wi-Fi connectivity in homes and offices." The flaw affects nearly every device that uses Wi-Fi, said SingCert.

This includes routers, smartphones, computers and surveillance cameras. And there are more than 11 million homes, offices, cafes and public locations here using or providing Wi-Fi connections, according to official figures."The attacker can exploit the vulnerabilities to monitor, inject and manipulate users' network traffic," the agency noted responding to queries from The Straits Times. SingCert is a unit of Singapore's Cyber Security Agency (CSA) that coordinates the nation's response to cyber threats and attacks.

The alert follows Monday's confirmation (Oct 16) of the flaw by the United States Homeland Security's cyber-emergency unit US-Cert. The US authority had quietly warned vendors of the problem two months ago so that vendors would have time to roll out patches before the problem is made public, according to online reports. And though many have since issued patches, billions of devices remain unpatched.

The design flaw, dubbed KRACK (Key Reinstallation Attack), exposes what is said to be the first critical vulnerabilities in WPA2, a common authentication method. The 14-year-old WPA2 protocol secures the Wi-Fi connection between a router and a computer or Internet device.

Mr Mathy Vanhoef - a researcher in Belgium's University of Leuven who discovered the flaw - said in a research paper published online earlier this week that a hacker could hijack unencrypted conversations and exchanges over the Wi-Fi connection."The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected," he wrote in the paper. "To prevent the attack, users must update affected products as soon as security updates become available." Mr Vanhoef will be presenting the paper at the Computer and Communications Security conference organised by a trade association in Dallas, United States, on November 1.

There have been no reports of this flaw being exploited so far. An attacker must also be within the Wi-Fi range to carry out nefarious exploits.

The reported flaw potentially allows hackers to snoop on unencrypted data being sent and received from vulnerable routers.

Last week, Microsoft released a software fix for the Wi-Fi flaw in its Oct 10 Windows update. The current beta versions of Apple's iOS, tvOS, watchOS and macOS operating systems also come with the security fix. Other vendors like Google are still creating security patches for their devices, and are expected to release them only in the coming weeks.

SingCert advised users to check with their vendors on the availability of the security patches and apply them as soon as possible.

Dr Gary McGraw, vice president of Security Technology at United States-based software engineering firm Synopsys, said that KRACK, being a design flaw, is harder to fix than a software bug, which is more common. "That's (also) why KRACK is so pervasive across chips and platforms, affecting many manufacturers worldwide." Some security experts said that using a patched device provides enough protection - even if the Wi-Fi router is not patched.

As security software patches for routers, Webcams and TVs are harder to apply, Mr Jason Kong, co-founder of Singapore-based network security firm Toffs Technologies, said that Internet service providers should set up help desks and provide software update packages to help customers."For peace of mind, users should also subscribe to virtual private network services, available online or from ISPs," Mr Kong said.

THE STRAITS TIMES