Three threats that leave consumers in the wind
Three new security vulnerabilities made waves across the Internet this past week, respectively exposing holes in Wi-Fi, Microsoft Office, and encryption keys. Although security experts say the threats don’t warrant high alert, each exposes consumers to hackers—and none has an easy solution.
Of the three, the Krack exploit might pose the biggest threat to consumers. Krack is the intentionally catchy nickname for Key Reinstallation Attacks, which target the Wi-Fi Protected Access (WPA) and WPA2 protocols used to secure Wi-Fi networks. Krack can be used to decrypt otherwise secure Wi-Fi communications to expose emails, photos, videos, passwords, instant messages, social-media posts, and Internet traffic on every major platform, including Windows, Mac, Linux, iOS, and Android.
Devices running Android (including a multitude of Internet of Things devices) or Linux (including many Wi-Fi routers) are the most vulnerable to Krack. The attack changes the cryptographic key that protects data in transit to all zeroes.
Krack is potentially as bad as it sounds, says Dan Tentler, founder of the San Diego-based security testing company Phobos Group. But its damage will be stymied by two critical caveats: An attacker needs to be in physical proximity to a target network. And the attack typically targets “clients”—the devices that connect to the Wi-Fi router—rather than the router itself. With far fewer users than corporate or government networks, consumers’ home networks aren’t as likely to be targeted.
“Who have you made so angry that they’re coming to hack your house?” Tentler asks. Consumers can mitigate the attack, he says, by patching their devices with software updates (Microsoft has released a fix, with Apple, Google, and enterprise Internet router vendors expected to follow suit soon), and using SSL or TLS.
“Krack doesn’t leave consumers powerless,” Tentler says, but “they are at the mercy of the [device software] vendor, because the vendor has to update [its] code.”
The second exploit takes advantage of Microsoft’s Dynamic Data Exchange protocol, which applications use to exchange data and messages. When combined with PowerShell, users can create so-called macros to automatically perform Windows tasks such as changing font, text size, and alignment.
“That’s a brilliant piece of engineering,” says Andrew Conway, a research analyst at security company CloudMark. “But like mixing fertilizer and diesel, it’s explosive.”
Hackers are taking advantage of this explosive mix, security company SensePost revealed on October 9, to automatically download and run malware on machines running Microsoft Office. Activation requires a user to click on a legitimate-looking dialog box that pops up in Word or Excel. Someone could navigate to that dialog box from a malicious email attachment.
It’s classic social engineering, Conway says.
Sometimes software makers decide not to address a vulnerability simply because the known exploit doesn’t affect its functionality. This is a case in point: Microsoft says that the vulnerability can’t be exploited unless the user has disabled Word or Excel’s “protected mode,” which some organizations require, and it decided to reiterate the dangers of phishing attacks rather than to update the code.
“We encourage customers to use caution when opening suspicious email attachments,” a Microsoft representative wrote in a statement to The Parallax.
There’s not much users can do to avoid the attack, Conway says. “It needs to be fixed [by Microsoft], or we need teach people not to click on dialog boxes in Microsoft documents.”
The third major vulnerability uncovered this past week affects electronic authentication technology used in government and corporate identity cards and fobs, including 750,000 digital Estonian identification cards. RSA encryption keys generated by Infineon Technologies chips are weaker and therefore significantly easier to crack than expected, according to a warning published by Infineon on October 10. Hackers can break the encryption on RSA1024 and RSA2048 keys on chips dating as far back as 2012.
The keys work by mathematically factoring a “public” key for sharing and a “private” key to be kept secret. Hackers weaken the encryption by exploiting the vulnerability to create their own private key. If you have a document signed with another person’s private key, you can’t be sure that the electronic signature is authentic.
While the flaw affects only RSA keys generated with Infineon chips, Conway nevertheless says it’s a “long-term problem” because there’s no easy fix for the millions of consumers who need to continue using the vulnerable smartcards and fobs.
“You can put out software updates. You can put out firmware updates to devices. But there’s no mechanism that tells people to replace their public-private key pair,” he says.