Many of us use this program on a regular basis, often without even realising it.
Android devices, for example, include it as part of the operating system distribution; support for Wi-Fi enabled devices on Linux almost always relies on it.
That`s because it`s software that deals with finding, connecting to, and authenticating against Wi-Fi access points that use WPA security.
Why use WPA?
If you`ve followed Naked Security`s advice, you`ll long ago have switched from an open access point, or from WEP security (WPA`s precursor), to WPA or WPA2.
Open access points are risky because anyone passing by can connect, and effortlessly listen in to your network traffic.
If you do online banking using HTTPS, you`ll be safe, but a lot of the other things you do online will be wide open for what`s known as sniffing – eavesdropping and recording the data going past on the network.
Sniffed data can then be mined for interesting information like email addresses, usernames, instant messages, passwords; indeed, anything that isn`t properly encrypted.
WEP is worse than risky: it encrypts all your traffic with a secret password, so it`s supposed to be secure, but it isn`t.
Because of a fault in the underlying algorithms used in WEP, you can work backwards from the encrypted data to the password, using cracking software that takes typically takes just a few minutes to run.
That means you need to use WPA, and, as mentioned above, on Androids and many Linuxes, that means wpa_supplicant, even though that`s probably not obvious.
Buffer overflow
Unfortunately, wpa_supplicant turned out to have a buffer overflow.
That`s where you send the program some data – in this case, a network name – but deliberately make it super-long.
If the program doesn`t check that the data is going to fit (perhaps on the assumption that no-one would ever bother with a network name like AAAAAATHISISLONGERTHANTHIRTYTWOCHARACTERSSOWATCHOUT), then other important data stored nearby in memory may be corrupted, and the program will probably crash.
With a mixture of analysis and deduction, crooks may be able to figure out how to orchestrate the crash in such a way that they trick your computer into running some other fragment of code of their own choosing.
Often, that gives them full access to your computer, just as if they were logged in themselves, in an outcome that`s known as RCE, or remote code execution
Read original article
No comments:
Post a Comment