Earlier this week, Mathy Vanhoef of the Imec-DistriNet research group, discovered serious weaknesses and vulnerabilities in WPA2, a protocol which is used to secure all modern Wi-Fi networks.
Vanhoef’s paper noted:
“An attacker within range of a victim can exploit these weaknesses using key reinstallation attacks (KRACKs). Concretely, attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted. This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. The attack works against all modern protected Wi-Fi networks.”
How Does it Affect Devices and are Bitcoin Wallets in Danger?
As Vanhoef explained in his paper, any device from mobile phones to computers using public Wi-Fi connections can be vulnerable to data theft. Many analysts including CNET executive editor Roger Cheng explained that at this point, any device that is connected to a public Wi-Fi connection is vulnerable.
“This is pretty serious. The bad news is pretty much every Wi-Fi enabled device is vulnerable. The good news is that it has to be local. The hacker has to be near the Wi-Fi network. It can’t launch a widespread attack,” said Cheng in an interview with CBS.
Analysts have explained that hackers targeting local Wi-Fi connections in public areas such as airports can breach the local systems of Wi-Fi-enabled devices, and as such, hackers can steal information ranging from passwords to local app data. Furthermore, because Android and Linux devices are more vulnerable to KRACKs than other devices or operating systems, Bitcoin and cryptocurrency wallets installed on Android and Linux devices could easily become vulnerable to local attacks.
Vanhoef’s paper explained that around 50 percent of Android devices are vulnerable to KRACKs and other types of attacks that are capable of extracting sensitive information efficiently.
“Because Android uses wpa_supplicant, Android 6.0 and above also contains this vulnerability. This makes it trivial to intercept and manipulate traffic sent by these Linux and Android devices. Note that currently 50% of Android devices are vulnerable to this exceptionally devastating variant of our attack,” read Vanhoef’s paper.
2 Factor Authentication (2FA) For Bitcoin Wallets, Preferably Apps like Google Authenticator
Generally, Bitcoin wallet developers and experts recommend users avoid 2FA via SMS, because phone vulnerabilities or social engineering can lead to numbers being compromised as Zooko Wilcox, the CEO of Zcash stated:
I’ve seen “my phone got hacked” alerts from three different Silicon-Valley/Bitcoin/VC-type people recently. Stay alert, and enable 2fa [*].
— zooko [no280] (@zooko) October 24, 2016
However, the development team behind Trezor, the most popular and secure Bitcoin hardware wallet, has encouraged users to take this one step further, using U2F rather than widely used 2FA apps like Google Authenticator and SMS, because of its mechanism. Apps like Google Authenticator, which are still far more secure than direct SMS 2FA verification, use a system known as Time-Based One-time Password (TOTP), as demonstrated in the infographic below provided by Trezor:
But, Trezor’s developers explained that TOTP could be vulnerable and weak as a cryptographically verified system because users must take additional steps to back up the “secret” or private identity. Furthermore, if attackers gain access to the TOTP key provider, then user’s data could potentially be vulnerable to additional attacks.
“Backup codes are sent online, which is simply insecure. You and Provider share the same secret. If an attacker hacks into a company and gains access to both the password and the secrets database, he/she will be able to access every account completely unnoticed,” stated the Trezor development team.
Conclusively, to prevent unwanted Bitcoin wallet access or security breaches, users must avoid using public Wi-Fi networks to log-in to their wallets. Additionally, experts recommended users to enable strong a 2FA system, preferably Google Authenticator and U2F, as Trezor developers recommended.