SINGAPORE - Major security flaws just discovered have put billions of Wi-Fi devices at risk worldwide, including almost every Internet user in Singapore.
Issuing the alert on Tuesday afternoon (Oct 17), the Singapore Computer Emergency Response Team (SingCert) said: "These vulnerabilities may affect the data confidentiality of users' Wi-Fi connectivity in homes and offices."
The flaws affect nearly every device that uses Wi-Fi, said SingCert.
These include routers, smartphones, computers and surveillance cameras. And there are more than 11 million homes, offices, cafes and public locations here using or providing Wi-Fi connections, according to official figures.
"The attacker can exploit the vulnerabilities to monitor, inject and manipulate users' network traffic," the agency noted, responding to queries from The Straits Times.
SingCert is a unit of Singapore's Cyber Security Agency, which coordinates the nation's response to cyber threats and attacks.
The alert follows Monday's confirmation of the flaws by the United States Homeland Security's cyber-emergency unit US-Cert.
The US authority had quietly warned vendors of the problem two months ago so that vendors would have time to roll out patches before the problem was made public, according to online reports. Though many have since issued patches, billions of devices remain unpatched.
An exploit dubbed Krack (Key Reinstallation Attack) exposes what is said to be the first critical vulnerabilities in WPA2, a common authentication method. The 14-year-old WPA2 protocol secures the Wi-Fi connection between a router and a computer or Internet device.
Mr Mathy Vanhoef, a researcher at Belgium's University of Leuven who discovered the flaw, said in a research paper published online this week that a hacker could hijack unencrypted conversations and exchanges over the Wi-Fi connection.
Ways to stay safe:
1. Patch your Windows machines now. Microsoft released a patch for the Wi-Fi flaw in its Oct 10 Windows update. The current beta versions of Apple's iOS, tvOS, watchOS and macOS operating systems also come with the security fix.
2. Surf only encrypted (https) Web pages. Similarly, website owners should also encrypt their webpages. An attacker might inject malware into unencrypted websites.
3. Do not send confidential details over public Wi-Fi networks.
4. Use virtual private network (VPN) services, available online or from Internet service providers, to add an extra layer of security.
5. Do not visit or install software from unknown websites.
6. Unplug any unpatched Wi-Fi device, such as Webcams, if the Wi-Fi signal of your router extends into the public space. An attacker within the Wi-Fi range can carry out nefarious exploits.
"The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations," he wrote in the paper. "To prevent the attack, users must update affected products as soon as security updates become available."
There have been no reports of these flaws being exploited so far. An attacker must also be within the Wi-Fi range to carry out nefarious exploits.
Microsoft released a software fix for the Wi-Fi flaw in its Oct 10 Windows update. The current beta versions of Apple's iOS, tvOS, watchOS and macOS operating systems also come with the security fix. Other vendors, such as Google, are still creating security patches for their devices, and are expected to release them only in the coming weeks.
SingCert has advised users to check with their vendors on the availability of security patches and apply them as soon as possible.
Dr Gary McGraw, vice-president of security technology at US-based software engineering firm Synopsys, said design flaws are harder to fix than a software bug, which is more common. "That's (also) why Krack is so pervasive across chips and platforms, affecting many manufacturers worldwide."
Some security experts said that using a patched device provides enough protection - even if the Wi-Fi router is not patched.
As security software patches for routers, webcams and TVs are harder to apply, Mr Jason Kong, co-founder of Singapore-based network security firm Toffs Technologies, said Internet service providers (ISPs) should set up help desks and provide software update packages for customers. "For peace of mind, users should also subscribe to virtual private network services, available online or from ISPs."