An error has been discovered in all modern WiFi routers that cannot be solved
Specialists in ethical hacking and cybersecurity at the University of California reported the discovery of a vulnerability that leverages the interaction of two universal Internet protocols: the Transmission Control Protocol (TCP) and WiFi. This exploit does not appear to be traditional security vulnerability. Instead, the security flaw lies in a fundamental decision of Wi-Fi design made over 20 years ago, making it extremely difficult to correct.
TCP has existed since the advent of the Internet and virtually all websites use it. TCP divides information into manageable fragments that can be transmitted between computers over the Internet. Each fragment, known as “package”, receives a number within a single sequence for that particular communication, ensuring that it is delivered correctly. The first number of the initial sequence is chosen randomly, but the following numbers are added in a predictable pattern, so the receiving device can organize them properly if they arrive in disorder.
When you click to enlarge an image on a website, your computer asks the remote computer to send the image data. The remote computer divides the image data into numbered packets and sends them through the fastest routes. Your computer responds to recognize each package and assembles them in the correct order to display the selected image.
According to the ethical hacking experts’ reports, for an attacker to be able to intercept this communication, he must pretend to be the sender and correctly guess the next number in the sequence. Because there are about 4 billion of possible sequences, it is almost impossible to guess successfully before the communication is complete. But if the attacker finds out which number triggers a response from the recipient, he can figure out the approximate range of the next number and send a malicious load that simulates arriving from the original sender. When the computer reassembles the packets, the user will find the content sent by the attacker.
How can someone find out this number?
Wireless routers can only transmit data in one direction at a time because they communicate with devices on their network on a single channel. Like walkie-talkies, if both parties send information at the same time, there will be interference. This is known as half duplex transmission, a feature of all routers.
This means that there is always a time interval between a request and a response. If an attacker sends a falsified TCP packet with a random sequence number, followed by a normal package and an immediate response, the attacker will know that he is mistaken because in a half-duplex system, the recipient should take longer to respond to the spoofed package. If the response takes longer, the attacker will know that has being able to guess the sequence and can hijack the communication.
To be contacted by a remote attacker, the victim must visit a website controlled by the attacker. The website runs a JavaScript that creates a TCP connection to a bank or other website chosen by the attacker. The victim is not aware that the connection has been established. In their experiments, the investigators found that the victim needs to stay on the malicious website only one or two minutes for the attack to succeed.
Specialists in ethical hacking from the International Institute of Cyber Security commented that there is no solution to this security failure in the short term. The only solution would be to build routers that operate at different frequencies to transmit and receive data. According to experts who discovered the vulnerability, it is still about five years before it can be solved.
Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.