Critical Wi-Fi Flaws Put Your Data at Risk (CVE-2023-52160, CVE-2023-52161)

Two new vulnerabilities (CVE-2023-52160, CVE-2023-52161) in open-source WiFi software are allowing attackers to trick victims into connecting to evil twins of trusted networks intercept their traffic, and join otherwise secure networks without needing the password.

Top10VPN collaborated with Professor Vanhoef to uncover significant security flaws in two instances of widely used open-source WiFi software, exposing users to traffic interception and other attacks. The first attack targets users connecting to an Enterprise WiFi network, while the second targets an existing home network.

CVE-2023-52160, CVE-2023-52161

The vulnerability in wpa_supplicant v2.10 and below (CVE-2023-52160) is particularly alarming as it is the default software on Android devices for managing login requests to wireless networks. With 2.3 billion Android users globally potentially impacted by this vulnerability, the concern is substantial. The wpa_supplicant software is also prevalent in nearly all Linux devices, as well as in ChromeOS, which powers Chromebooks, a common choice in educational environments. Although the wpa_supplicant vulnerability only impacts WiFi clients that fail to properly verify the authentication server’s certificate, recent studies indicate that this is often the case, especially with the affected devices.

The vulnerability in IWD v2.13 and below (CVE-2023-52161) affects fewer individuals as it is Linux-only WiFi software. However, it impacts all users utilizing IWD as an access point, as the vulnerability does not depend on any misconfiguration. Intel developed IWD as a comprehensive connectivity solution for Linux, aiming to eventually replace wpa_supplicant. It is available in the official package managers of all major Linux distributions.

The wpa_supplicant vulnerability jeopardizes WiFi networks using the Enterprise mode of WPA2/3 rather than the less secure personal mode typically found in home WiFi networks. Ironically, the security flaw in this report stems from the potential abuse of the mutual authentication process, which is exclusively present in Enterprise mode and generally recommended for larger businesses. Conversely, the IWD vulnerability affects home WiFi networks.

The wpa_supplicant vulnerability enables a malevolent actor to deceive their victim into automatically connecting to a malicious clone of a trusted WiFi network to intercept their traffic. Since the attack does not require any action from the victim, they are likely unaware of being targeted. An attacker only needs the SSID of an Enterprise WPA2/3 network previously connected to by the victim and to be within range of the victim. A potential scenario could involve an attacker circling a company’s building to scan for networks before targeting an employee exiting the office. The IWD vulnerability differs as it allows an adversary to gain complete access to an existing protected WiFi network, exposing current users and devices to attack. The risks of such an attack, especially to a small business using this type of WiFi network, are considerable and include interception of sensitive data, malware infections, ransomware attacks, business email compromise, and password theft.

Both vulnerabilities were reported to vendors, have been patched, and are available as part of their public code repositories. The standard advice on updating software and operating systems is pertinent, with IWD releasing frequent updates. However, the ease of securing your devices against the wpa_supplicant vulnerability depends on the operating system. ChromeOS users can easily update to the latest version, which has been patched since at least version 118. Linux users, however, depend on their distribution to provide a patched version of wpa_supplicant, which is not typically done by default, so maintainers must ensure the patch is backported into the provided wpa_supplicant version.

Unfortunately, Android users must wait for a new Android security update that includes the wpa_supplicant patch, which can take a long time, ranging from several months to even years. In the meantime, it is crucial for Android users to manually configure the CA certificate of any saved Enterprise networks to prevent the attack. University students and staff connecting to eduroam can also use the CAT tool to securely configure Android. On the latest Android devices, it is also possible to use Trust-on-First-Use (TOFU) to automatically trust the CA certificate when connecting to the network for the first time. A wise precaution would also be to remove any unused WPA2/3 enterprise networks and to disable automatic reconnection for any regularly used networks of that type.

As an additional defense, we recommend routinely using a VPN for public WiFi networks as this will at least prevent an attacker from intercepting your internet traffic, as it will be encrypted. Check out our recommendations for the most reliable VPNs for Android and Linux. Our Android VPN recommendations also apply to ChromeOS users. While a VPN will protect your internet traffic from malevolent actors, it cannot defend against every type of attack stemming from these or any future vulnerabilities.

For a comprehensive technical analysis and all relevant background, download the Bypassing WiFi Authentication in Modern WPA2/3 Networks report authored by Mathy Vanhoef and Héloïse Gollier. Additional details on these new IWD and WPA_Supplicant vulnerabilities are available via the blog post at top10vpn.com with more details by the security researchers involved with finding these Linux WiFi authentication vulnerabilities.