When you set up a Wi Fi network, you should always create a unique admin and password to protect it, and you should also know that that doesn't really matter anymore for now. I'm Jonathan Strickland, and this is tech Stuff Daily. If you've ever used a Wi Fi network with security settings, you're likely relying upon a protocol called w p A two. It stands for WiFi Protected Access and it's a security certification program that's supposed to allow
for secure communication between devices and the Internet. Only now, there's a workaround that makes w p A two about as safe as a vault door made of tissue paper. Some researchers uncovered the security flaw and wrote a paper about it, publishing that paper in October. The flaw means that devices running on Android, Lennox, Open BSD, and a few other operating systems may send information to something that appears to be a specific WiFi access point, but in
fact is a malicious clone. Some operating systems, like iOS and Windows are immune against certain implementations, but are still vulnerable to others. Here's what's going on. The attacker runs special software called key reinstallation attacks or cracks k R A c k S. The crack will allow the attacker to clone the network, fooling certain electronics into connecting with the malicious clone rather than the legitimate network. It does this by interrupting a process called the four way handshake.
This is a process through which a device and a network verify that they are having legitimate communication with each other. The crack technique manipulates and then replays this cryptographic handshake message, resetting the devices encryption process and intercepting all communication between that device and the network. This is a type of attack known as a man in the middle attack. Worse than that, the clone network will be able to decrypt
communications sent through it. Pairing this with some other well known hacker software, such as s s L strip allows the cloned network to downgrade traffic to the HTTP protocol instead of h T t P S. You may have been told to keep an eye on the address bar of your browser to verify the presence of that little lock symbol next to the HTTPS. This tells you that you've got a secure connection to that particular web page. S s L strip pushes traffic to an HTTP protocol,
removing that extra level of security. However, this is reflected in the address bar, so if you're paying attention, you may notice the problem right away. The solution to this problem involves updating devices with security patches that remove the vulnerability. Changing your networks log in and password information doesn't help all by itself, as this attack sidesteps those measures in the first place. You have to doll updates to your
various devices. Those updates take time to develop and roll out, and by the time you hear this, there may still be some devices you own that lack of patch. It's a good idea to be careful about using Wi Fi networks in the meantime, particularly in public spaces. Though this attack can turn any Wi Fi network into a vulnerability, even in your home network. Switching to wired connections would also prevent any unintended communication with malicious networks. The flaw
illustrates how difficult network security can be. First, you need a reliable system that isn't easily breached or manipulated, and until recently, w p A two seemed to put the bill. Now, it's clear that the system had some major flaws, but let's assume that the security protocol is top notch and has no other known vulnerabilities. There are still plenty of opportunities for malicious hackers to get unauthorized access to a system.
Legitimate users who choose weak login and passwords are a liability. Humans are pretty bad remembering complicated passwords, and so it's natural for us to get a little lazy and come up with passwords that aren't very tricky at all. The truly foolish never bothered to change their access points passwords from the default, which means an attacker with knowledge of the default passwords can get easy access to that network. Others will take a minor step forward and use a
new password but rely on actual simple words. Hacker using a brute force attack in which a machine puts forward various words at high speeds and an attempt to find the password, could gain access to such an account. Strong complex passwords are more reliable, particularly if they are longer than eight characters, but these are much more difficult to remember, particularly if you're practicing good security etiquette and you've created
a new password for every site or service. You can build complex passwords out of collection of common words, and that helps, but you still need to remember what those passwords are and not rely on the same one for two or three for all of your law and information, and keep in mind that the weakest point in any
security system tends to be people. There have been plenty of systems that were breached, not through some hacker running a slide piece of code to probe for passwords, but rather a person just chatting with a company's employee and an effort to get more information. The worst thing about the w P A two flaws that you could be practicing extremely healthy security habits and it doesn't even matter because the vulnerability exists in the protocol itself. It just
doesn't seem fair. Fortunately, with some software updates, companies can remove this possibility and you can rest easy. Just another reason why it's always important to install those updates. That's all for today. To learn more about hacking, security and malware, check out tech Stuff. It's my long form podcast that publishes on Wednesdays and Fridays and explores all topics in the world of technology. I'll see you again soon. Eight