Another day another vulnerability discovered. But this time, it's a bug common on all Wi-Fi routers.
Computer scientists from the University of California, Riverside, have discovered a security flaw that affects Wi-Fi routers, enabling hackers to exploit the weakness in the transmission control protocol (TCP), and perform a web cache poisoning attack to steal login credentials or other private data.
Fortunately, this flaw only put users at risk when they are visiting sites with HTTP protocol.
What this means, users visiting websites with HTTPS secured or HSTS won't be affected by the bug. Similarly, users using Ethernet connections are also not affected.
Modern browsers that include Google's Chrome, Mozilla's Firefox and others are warning users if they visit websites without encryption.
So here, users who use those browsers shouldn't be affected.
The bad news is that a fix or patch is not possible.
According to Associate Professor Zhiyun Qian and doctoral student Weiteng Chen, both from UCR’s Marlan and Rosemary Bourns College of Engineering, the exploit takes advantage of the interaction of two internet universal protocols: transmission control protocol, or TCP, and Wi-Fi.
The flaw in question has resides on the decades long design of TCP and Wi-Fi.
TCP works by breaking down data into smaller chunks, called packets, for computers to communicate.
These packets begin with a random first number, but the subsequent numbers in the sequence will increase predictably. This flaw allows hackers to guess the next number in order to intercept communication.
There are about 4 billion sequence numbers possible. This alone should be difficult for hackers to guess. But if they do manage to guess the numbers, hackers can sneak in when users are sending or receiving data.
"But if the attacker can figure out which number triggers a response from the recipient, they can figure out the rough range of the correct number and send a malicious payload pretending that it comes from the original sender," explained the researchers in a blog post detailing the attack.
"When your computer reassembles the packets, you’ll see whatever the attacker wants."
For hackers to exploit the bug, they need to first lure victims to a website they control.
The site will run a JavaScript file that creates TCP connection to a banking website. The exploit will work if the victims stayed long enough on the hackers' website, for the hackers to guess the sequence number for the banking packet.
"You can imagine a website that displays pirated content such as movies, NBA games, or video games, which lure the user to stay for a sufficient period of time," said Qian.
If that happens, the hackers can inject a malicious copy of the bank web page into the victims' cache to steal login credentials.
The strategy involves web poisoning to ensure that victims will always see the malicious website whenever they try to visit the legitimate banking site in the future. Unless the victims clears their browsers' cache, the malicious copy of the site can reside on their browser for a very long time.
To mitigate the attack, researchers recommend Wi-Fi manufacturers to build routers that operate on different frequencies for transmitting and receiving data.
Weiteng Chen and Zhiyun Qian have published a paper titled "Off-Path TCP Exploit: How Wireless Routers Can Jeopardize Your Secrets" to describe the flaw on all generations of half-duplex IEEE 802.11 or Wi-Fi technology.