Posted by stuart.gilbertson

What’s happened

A researcher has found a way to compromise the most common Wi-Fi security standard which allows an attacker to look at traffic on the network, and in some cases, manipulate the data.

What’s affected

Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others, are all affected by some variant of the attacks

The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected. To prevent the attack, users must update affected products as soon as security updates become available.

In general, any data or information that the victim transmits over Wi-Fi can be decrypted.

What are we going to do

Resolving the security problem is likely to involve applying security update to routers. Consider IT will actively manage and maintain the security of your network as and when a patch becomes available.

In the meantime, it comes down to risk management. Do you want us to disable Wi-Fi company-wide? Do you want to continue using Wi-Fi for the foreseeable.

On the basis that users on Wi-Fi stay vigilant for websites that should be over HTTPS (the green padlock), our risk analysis shows that this is a moderate to severe risk. The likelihood of being attacked is low.

Our recommendation is to stay alert to your browsing habits. Make sure that where possible the device has Wi-Fi disabled and is cabled in. Should a website you expect to operate over a secure connection (HTTPS green padlock) fails to load or doesn’t establish that secure connection, the user raises it as a priority.

More Details

Computer security expert from the University of Surrey Prof Alan Woodward said: “This is a flaw in the standard, so potentially there is a high risk to every single wi-fi connection out there, corporate and domestic.

“The risk will depend on a number of factors including the time it takes to launch an attack and whether you need to be connected to the network to launch one, but the paper suggests that an attack is relatively easy to launch.

“It will leave the majority of wi-fi connections at risk until vendors of routers can issue patches.”

Dr Steven Murdoch from University College, London said there were two mitigating factors to what he agreed was a “huge vulnerability”.
“The attacker has to be physically nearby and if there is encryption on the web browser, it is harder to exploit.”

There’s an article on the BBC news website that popped up yesterday that took our interest. It states that a “hack” lets phones “eavesdrop and make premium calls”. This was obviously a great concern for us, as it named our primary vendor, snom, as the manufacturer whose phones were used in the research.

The article can be seen on the BBC website here: http://www.bbc.co.uk/news/technology-35579273

What we can’t understand is why the BBC chose to publish such a non-story. What this “security hack” boils down to is not changing the administration page password from the default. Yes, you heard right. The only security flaw is not setting an admin password for managing the settings on the phone.

In fact, if you ignore the fact they used old firmware to carry out their tests and you perform that exact same test on firmware that isn’t old (and was only a beta release) the phone itself prompts you on the screen at every opportunity to set an Admin password.

So really, if you’ve configured your VoIP phone for making and receiving calls and you haven’t bothered to set an admin password, more fool you.

Thankfully, all of the snom phones we provision for our clients have a secure password set on them prior to delivery on site. You can tell this is the case because if you take a quick glancing look at your screen it isn’t going crazy that a password isn’t set.

So for this “hack” to work:

1. You need to be running old firmware (by the way, when going to download it from the snom site, says “8.7.5.13 is a deprecated / unsupported versoin! Use at your own risk…”)
2. You then need to provision your phone to make calls on a VoIP platform whilst neglecting to set an admin password
3. You then need someone on your local network interested enough to take advantage of the fact you’ve done steps A and B and also wants to eavesdrop on you or make premium rate calls

VoIP is still an emerging technology and it’s such a shame that a business that’s meant to be on the forefront of technology has chosen to report on such a non-issue as this one. Compare it to setting up a new router for your internet connection without changing the default web admin password. It really is no different.

Lastly, just to touch on the Premium Calls part of their article where they suggest there could be toll fraud carried out (which is true), this isn’t the case on our Hosted VoIP Platform. Why? We block all premium rate numbers! 🙂

We are currently aware of a lot of malicious spam emails currently doing the rounds. As of posting this, few anti-viruses pick up the virus attachments.

The fake email pretends to come from e-mail address [email protected], but is actually a simple forgery and does not in fact come from Les Caves.

The contents of the e-mail message are as follows:

From:    Avril Sparrowhawk [[email protected]]
Date:    22 December 2015 at 11:14
Subject:    CWIH8974 PAYMENT RECEIVED

Good afternoon

Thanks very much for your payment we recently from you, however there was a missed invoice.  Can you just confirm this will be included in the next payment run, or whether there were any queries with this particular invoice?

I have attached the invoice for your reference.

Kind regards

Avril

If you receive this e-mail, delete it immediately and contact your IT Support company. Do not open the attachment(s).

The attached file is a malicious document “CWIH8974.doc” which has a low detection rate. There are likely other variants of this virus going around but in the cases we’ve seen it downloads a malicious executable file from.

If you have already opened the attachment, contact your IT Support company after shutting down your computer. They will want to completely wipe it with a fresh reinstall.

The virus itself allows the hacker to compromise the web browser so that when the user tries to log in to their Internet Banking, the details are leaked to the hacker who attempts to withdraw funds from the user’s bank account.