The Security Flaw in Wi-Fi Protocols: A Threat to Your Online Privacy
Hey guys, this is Austin. Wi-Fi is basically everywhere and odds are you're using one of these devices over Wi-Fi pretty much every day. However, it just got a lot less secure.
Two Belgian researchers were able to find a flaw in the WPA2 Wi-Fi protocol. All this nerd talk aside means that a secured network is no longer as secure as you think.
So, to take a closer look at this, we have our resident hacking expert Wes, and you've actually spent a couple of days trying to figure out exactly how all of this stuff works.
Now, there are two types of Wi-Fi: secured and open. Now, you've probably connected to an open network at something like a coffee shop or an airport. And while it's great to have free Wi-Fi, the downside of being open is that it really is truly open.
Nearly anything you do on an open Wi-Fi network can be spied on by other people. So, the idea here is that if I decide to jump on Wi-Fi, you can intercept that and see what I'm doing. - Yeah, my laptop is essentially now sitting in between your phone and whatever websites you're trying to access.
Okay, so let's understand how this works. If I say, [insert audio/video clip]
WEBVTTKind: captionsLanguage: en- Hey guys, this is Austin.Wi-Fi is basically everywhereand odds are you're usingone of these devicesover Wi-Fi pretty much every day.However, it just got a lot less secure.Two Belgian researcheswere able to find a flawin the WPA2 Wi-Fi protocol.All this nerd talk aside means,is that a secured networkis no longer as secure as you think.So to take a closer look at thiswe have our resident hacking expert Wes,and you've actually spent a couple daystrying to figure out exactlyhow all of this stuff works.So there are two types ofWi-Fi: secured and open.Now you've probablyconnected to an open networkat something like acoffee shop or an airport.And while it's great to have free Wi-Fi,the downside of being open isthat it really is truly open.Nearly anything you doon an open Wi-Fi networkcan be spied on by other people.So, the idea here is thatif I decide to jump on Wi-Fi,you can intercept thatand see what I'm doing.- Yeah, my laptop is essentially nowsitting in between your phoneand whatever websitesyou're trying to access.- Okay, so if I say, "Goto google.com right now,"I just load it up, so Iam on the Google homepage,no problem.But on your end-- And what you can actually see here isthat it is showing methat you are going to a Google service.It's not gonna work for every website.- Right.- This is an attack that hasbeen known about for a whileand is pretty combated in most websites.A lot of people have thesecurity features built-into combat this.What I'm seeing now,after I started kinda diving into itis there are actuallysome pretty major websitesthat are not fully protected yet.- So, from my end, thislooks totally normal.I see HTTPS, it's secure,and, generally speaking,if you do see HTTPSwith the little greenlock on your browser,you are securebecause even though this willget between me and my Wi-Fi,it won't get between me andthe encryption and the Wi-Fi.You can't crack that step just yet.- Exactly.What this is trying to do,is it is trying to target that HTTPSbut most big websites at this pointhave the technology and placeto basically tell my laptopto get outta here.- So, give me a website, let's try it.- Let's go to spirit.com.- Okay, it's loading.It looks fine on my end.I see it's not HTTPS,but, I mean, it looks like a lot ofstandard, generic websites.- And that's kinda creepy.And look right there, I can see that you-- Whoa!- In an instantand what's creepy is itactually parses the data, too.So, I can see the type was a check-in.I see the last nameand right there, locator.- Yeah, that is really scary.But, to be fair, that'sonly on open Wi-Fi.However, if you're at home-- Yeah, well, if you're at home,let's see that you'rechecking something personallike if you wanted tocheck banking information,so, I know some people are a fan of Amexso, go to American Express's website.- Oh, interesting.So, now I see wwwww.americanexpress.com.- Which is another tacticthat this kind of attack useswhere, if it can't just strip it off,it'll try and do other little tricksto essentially allow itto all get bypassed.- To get all the way through.So, at this point, if you seesomething like this, bail.This is not right.It's one thing to not see HTTPSand you should really look for thatanytime you're logginginto anything sensitive,but, if you see a bunch of extra w's,that should be a big red flag.- That's when you knowthat something's up.So, yeah, go ahead andpress the login buttonthat has a little lock next to it.- This feels like such a bad idea.- And go ahead and check your account.Feel free to use your correct credentials.- I'm not gonna do that at all.Alright, logging in.- And, boom.I can see that you're user ID is testand password is wesishackingright there, seconds!- So, you basically wereable to capture all that.Now, that's not a real account,as you guys might be able to imagine,so, it just bounced me out,but, normally speaking,if that was my actual account,I would have been logged right in,checking all my credit cardinformation, the whole deal.- Yeah, you would have no idea,and I would not only have the information,but I would have it laid out for mein color coded fashion.So, the concerning part about all thisis the people that have actuallydiscovered the WPA2 crack.They have said that ata security conferencethat's coming up,they are going to release the code.- It's gonna be in the wild.- It's gonna be in the wild.So, they've essentially put a shot clockon every company to say,"Hey, if your device supports Wi-Fi,-"- Which is everything!- A couple devices,"You have to update soon, otherwise-"- It's too bad.It's out there.Until things get patched everywhere,you really should treat all Wi-Fias if it's an open, unsecured network.Now, there are ways around this.For example, if you'replugged in via ethernet,then you're going to beable to avoid all of this.However, something youshould always be doingregardless of how youconnect to the internet,is looking out for thatHTTPS in your browser bar.That mean that, whatever you're sending,whether it's bank information, login info,credit cards, whatever,it's going to be secure.At least, way more secure than otherwise.A VPN is also a good idea.So, it's not perfect.Your computer can send some informationbetween when you get on Wi-Fiand when you connect to the VPN,but, generally speaking,encrypting web trafficis going to get arounda lot of these issuesand, as long as you're usingan actually trustworthy VPNthat is going to protect your data,you should be pretty safe.Because this is so new,there actually aren't a lot of patchesthat are available foryou to download just yet.So, Google is working on an Android patch,which will be coming soon.However, that's going tobe going to Pixel devicesand actually may takeawhile before it hitsthe rest of Android phones.Now, Microsoft did updateWindows 10 already for this.However, even though Windows is patched,some Wi-Fi drivers mayalso need to be updated.You can definitely expect other companiesto follow suit quickly withupdates for their products,but if you consider that prettymuch everything in the worldthat connects to Wi-Fiis vulnerable to this,it's going to take awhileand if you have an older device,you might just not be ableto get an update at all.Thankfully, this can befixed with software updates,but for now, make sure you're using HTTPS,and if you're really worried,you can consider using a VPN.So, if you guys are interestedin more info on hacking,I actually recently did anentire video all about it.So, be sure to go check that outand I will catch you guys in the next one.
