Home Security WPA2 flaw's worst impact on Android, Linux devices
WPA2 flaw's worst impact on Android, Linux devices Featured

The flaw in the WPA2 wireless protocol revealed recently has a critical impact on Android phones running version 6.0 of the mobile operating system and Linux devices, a security researcher says.

Ty Miller, managing director of security company Threat Intelligence, said unencrypted messages could be sent and full control gained over the wireless network traffic of anyone who was using these devices.

The vulnerability, revealed on Monday night, by Belgian researcher Mathy Vanhoef. At the time, he said: "Note that if your device supports Wi-Fi, it is most likely affected. During our initial research, we discovered ourselves that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others, are all affected by some variant of the attacks."

Miller explained: "The Linux and Android specific vulnerability is due to a flaw in their implementation of the protocol standard where the Temporal Key (TK) is overwritten with zeros.

"This is basically comparable to your password being overwritten with all zeros to gain access to all of your data. This allows the capture of sensitive information such as usernames and passwords, as well as the ability to inject malicious data into your Web browsing."

He said even after a majority of Linux and Android devices were patched, IoT devices would constitute a major long-term risk to organisations. These devices either never had patches released or else were rarely patched.

"It is a well-known fact that IoT devices have a terrible history when it comes to security, such as requesting software updates over HTTP," Miller said.

"This would enable the attacker to deploy a fake update to the vulnerable device causing it to become compromised, and ultimately provides the attacker with a foothold within your wireless network. If this device is on your corporate network, then your organisation is suddenly at risk of a major security breach."

The next worst affected would be Apple and OpenBSD, Miller said. "The primary challenge is that these operating systems only accept encrypted messages to be sent to the wireless client that makes it slightly more difficult," he pointed out.

However, this security control could still be bypassed by identifying encrypted messages by their size, and then replaying them against the vulnerable wireless client.

"This makes them just as vulnerable as in the Linux example above, except that some additional effort will be required to crack the key," Miller said.

"The upside is that the main risk is associated with macOS devices in this case, which are far more likely to be patched across the board than IoT devices."

Linux expert Russell Coker told iTWIre: "It (the vulnerability) sounds bad. But then given that so many systems are using old and unpatched versions of Android - I think we can assume that almost all Android 4.4 systems are unpatched - it's wide open anyway.

"It seems that if you run an Android device that's not a Nexus or Pixel then security support will end long
before the device wears out or becomes obsolete."


Site24x7 Seminars

Deliver Better User Experience in Today's Era of Digital Transformation

Some IT problems are better solved from the cloud

Join us as we discuss how DevOps in combination with AIOps can assure a seamless user experience, and assist you in monitoring all your individual IT components—including your websites, services, network infrastructure, and private or public clouds—from a single, cloud-based dashboard.

Sydney 7th May 2019

Melbourne 09 May 2019

Don’t miss out! Register Today!



Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has the high potential to be exposed to risk.

It only takes one awry email to expose an accounts’ payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 Steps to Improve your Business Cyber Security’ you’ll learn some simple steps you should be taking to prevent devastating and malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you’ll learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the sitecame into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.


Popular News




Guest Opinion


Sponsored News