Researchers claim browser vulnerability puts millions of Wi-Fi networks at risk

5 Sep 2018

Image: Manuel Esteban/Shutterstock

Research from cybersecurity and penetration testing consultancy SureCloud claims a flaw in Chrome-based browsers could leave millions of home Wi-Fi networks open to attack.

Millions of Wi-Fi networks could be easily hacked, according to claims from cybersecurity firm SureCloud. Researcher Elliot Thompson found a weakness in how Google Chrome and Opera browsers handle saved passwords and how those same passwords are used to interact with home Wi-Fi routers over unencrypted connections.

Chrome-based browsers offer to save Wi-Fi router administration page credentials by design, allowing them to be re-entered at the convenience of the user.

As the majority of users don’t use encrypted communications for management tasks, the SureCloud team was able to exploit this automatic re-entry of credentials to capture the Wi-Fi network password (PSK) with a single click.

Security v convenience

Luke Potter, cybersecurity practice director at SureCloud, said: “There is always a trade-off between security and convenience, but our research clearly shows that the feature in web browsers of storing login credentials is leaving millions of home and business networks wide open to attack – even if those networks are supposedly secured with a strong password.

“We believe this design issue needs to be fixed within the affected web browsers, to prevent this weakness being exploited. In the meantime, users should take active steps to protect their networks against the risk of being taken over.”

The flaw is said to affect any browser based on the Chromium open source project, including Google Chrome, Torch and Opera, among others. Many routers are also at risk, researchers say, including devices from Asus, Netgear and Belkin. Any router that has an administration portal delivered over cleartext HTTP by default (or enabled) would be affected.

Wi-Fi network safeguarding tips

SureCloud gave four tips to protect networks:

  • Only log in to your Wi-Fi router for configuration or updating using a separate browser or Incognito browser session
  • Clear your browser’s saved passwords and do not save credentials for non-secure HTTP pages
  • Delete saved open networks and do not allow automatic reconnection to networks
  • Change pre-shared keys and router admin credentials as soon as possible. Use a separate or Incognito browser session for the configuration and choose a strong passphrase

SureCloud disclosed its findings to the Chromium Project last March and received a response the same day, saying the feature was “working as designed”, adding that it had no plans to update it. More recently, Chrome said it would study the apparent bug closely.

A couple of caveats

There are several factors involved that complicate the attack. Firstly, the attacker needs to be within Wi-Fi range of the router. The victim’s device needs to be using the Chrome or Opera browsers that have the router’s login credentials to an open network saved. The user would also need to click a page pop-up purporting to be their router’s admin menu for the attack to work.

Another external researcher, Robert Pritchard, told Newsweek that the flaw may not be as threatening as it seems. He said: “The vast majority of Wi-Fi networks these days are encrypted, meaning this attack would not be viable.

“Even if you can find an unencrypted Wi-Fi network, you would still have to find a victim on said network who is actively using Chrome or Opera, and who had the administrator credentials for the network router saved in the browser.”

Thompson gave a different view to Siliconrepublic.com: “Robert mentioned that the ‘report demonstrates that passwords to unencrypted portals over unprotected Wi-Fi can be captured’. This is not what the report demonstrates.

“The target device in the demonstration is connected to a secure, WPA2-protected network; then, using the Karma attack, the target is brought onto a fake unsecured network to begin the next stage of the attack. The first (Karma) stage of this attack is well known – we have built upon that and taken it further.

“The attack is demonstrated to work against WPA2 networks encrypted with a strong PSK – this is what makes the finding significant, and the attack doesn’t require intercepting any network traffic.”

Regardless of the severity of the flaw, it’s always good to take the opportunity to ensure the security of the networks you use.

Updated, 2.14pm, 5 September 2018: This article was updated to include further comments on the exploit from SureCloud researcher Elliot Thompson.

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects

editorial@siliconrepublic.com