iTWire

Ty Miller, managing director of security company Threat Intelligence, said unencrypted messages could be sent and full control gained over the wireless network traffic of anyone who was using these devices.

The vulnerability, revealed on Monday night, by Belgian researcher Mathy Vanhoef. At the time, he said: "Note that if your device supports Wi-Fi, it is most likely affected. During our initial research, we discovered ourselves that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others, are all affected by some variant of the attacks."

Miller explained: "The Linux and Android specific vulnerability is due to a flaw in their implementation of the protocol standard where the Temporal Key (TK) is overwritten with zeros.

"This is basically comparable to your password being overwritten with all zeros to gain access to all of your data. This allows the capture of sensitive information such as usernames and passwords, as well as the ability to inject malicious data into your Web browsing."

He said even after a majority of Linux and Android devices were patched, IoT devices would constitute a major long-term risk to organisations. These devices either never had patches released or else were rarely patched.

"It is a well-known fact that IoT devices have a terrible history when it comes to security, such as requesting software updates over HTTP," Miller said.

"This would enable the attacker to deploy a fake update to the vulnerable device causing it to become compromised, and ultimately provides the attacker with a foothold within your wireless network. If this device is on your corporate network, then your organisation is suddenly at risk of a major security breach."

The next worst affected would be Apple and OpenBSD, Miller said. "The primary challenge is that these operating systems only accept encrypted messages to be sent to the wireless client that makes it slightly more difficult," he pointed out.

However, this security control could still be bypassed by identifying encrypted messages by their size, and then replaying them against the vulnerable wireless client.

"This makes them just as vulnerable as in the Linux example above, except that some additional effort will be required to crack the key," Miller said.

"The upside is that the main risk is associated with macOS devices in this case, which are far more likely to be patched across the board than IoT devices."

Linux expert Russell Coker told iTWIre: "It (the vulnerability) sounds bad. But then given that so many systems are using old and unpatched versions of Android - I think we can assume that almost all Android 4.4 systems are unpatched - it's wide open anyway.

"It seems that if you run an Android device that's not a Nexus or Pixel then security support will end long
before the device wears out or becomes obsolete."