New Wi-Fi Vulnerabilities Expose Android and Linux Devices to Hackers

By neub9
2 Min Read

Feb 21, 2024NewsroomNetwork Security / Vulnerability

Cybersecurity researchers have discovered two authentication bypass flaws in open-source Wi-Fi software installed on Android, Linux, and ChromeOS devices. These flaws have the potential to deceive users into connecting to a malicious copy of a legitimate network, or allow an attacker to join a trusted network without needing a password.

The vulnerabilities, known as CVE-2023-52160 and CVE-2023-52161, were found during a security assessment of wpa_supplicant and Intel’s iNet Wireless Daemon (IWD), respectively.

According to a new research conducted by Top10VPN in collaboration with Mathy Vanhoef, the flaws allow attackers to deceive victims into connecting to fake versions of trusted networks and intercept their data, as well as join otherwise secure networks without needing a password.

CVE-2023-52161 allows an attacker to gain unauthorized access to a protected Wi-Fi network, potentially leading to malware infections, data theft, and business email compromise (BEC). It affects IWD versions 2.12 and earlier.

CVE-2023-52160 affects wpa_supplicant versions 2.10 and earlier, and is particularly critical as it’s the default software used in Android devices for handling wireless network logins.

This flaw only affects Wi-Fi clients that are not properly configured to verify the authentication server’s certificate. On the other hand, CVE-2023-52161 affects any network using a Linux device as a wireless access point (WAP).

Exploiting CVE-2023-52160 requires the attacker to have knowledge of the victim’s previously connected Wi-Fi network SSID and be physically close to the victim.

Several major Linux distributions have released advisories for the two flaws. While fixes for ChromeOS have been implemented, Android users are urged to manually configure the CA certificate of saved enterprise networks to prevent the attack.

If you found this article interesting, follow us on Twitter and LinkedIn for more exclusive content.

Share This Article
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *