Two new Wi-Fi authentication bypass vulnerabilities have been discovered in open-source software. These could leave many enterprise and home networks vulnerable to attacks.
Mathy Vanhoef, a professor at Belgium’s KU Leuven research university, and Heloise Gollier, a student at KU Leuven, discovered the vulnerabilities. They worked with VPN testing company Top10VPN on this. Vanhoef is famous for his Wi-Fi security research, including the attacks known as KRACK, Dragonblood, and FragAttacks.
The recently revealed Wi-Fi authentication bypass vulnerabilities have been discovered in Wpa_supplicant and Intel’s iNet Wireless Daemon (IWD) software. Wpa_supplicant is used for WPA, WPA2, and WPA3 support. It’s found in all Android devices, most Linux devices, and the Chromebook operating system ChromeOS.
The vulnerability in Wpa_supplicant, known as CVE-2023-52160, can be used against users who connect to an enterprise Wi-Fi network. The flaw lets an attacker trick a user into connecting to a fake Wi-Fi network that looks like a real enterprise network. Then, the attacker can intercept the user’s traffic.
“The vulnerability can be exploited against Wi-Fi clients that are not properly configured to verify the certificate of the authentication server, which unfortunately still often occurs in practice, in particular with ChromeOS, Linux, and Android devices,” the researchers wrote in a paper describing the flaws.
The vulnerability doesn’t need any action from the user to be exploited. But the attacker has to be close to the victim and know the SSID of an enterprise network the victim has connected to before.
The security issue in IWD is known as CVE-2023-52161. It can be used to get into home or small business Wi-Fi networks. The attacker can use the Wi-Fi network for different things, like connecting to the internet and attacking other devices on the network. They can also get sensitive data and put malware on the network.
“The vulnerability allows an adversary to skip message 2 and 3 of the 4-way handshake, enabling an adversary to complete the authentication process without knowing the network’s password,” the researchers said.
The companies affected have been told about the problem. Google has fixed the vulnerability with ChromeOS 118, and Android users will get the fixes soon. There’s also a patch for Linux, but it’s up to the different Linux distributions to give it to their users. There are also ways to make the problem less serious.