Why using Wi-Fi at airport or railway station is 'risky'

CERT-in warned public against using public Wi-Fi and suggested VPN (virtual private network) and wired networks instead

When you visit an airport or railway station next time remember that browsing internet using the public Wi-Fi hotspot or wireless internet networks may leave you vulnerable for cyber attacks. 

The government agency Indian Computer Emergency Response Team (CERT-in) has rated the vulnerability quotient of public Wi-Fi in the country at 'high'. It warned public against using public Wi-Fi and suggested VPN (virtual private network) and wired networks instead. 

"Successful exploitation of these vulnerabilities allows an attacker to obtain sensitive information such as credit card numbers, passwords, chat messages, emails etc," CERT-in said. 

The agency's statement comes after Mathy Vanhoef, a security expert at Belgian university KU Leuven, recently discovered the weakness in the wireless security protocol WPA2, and published details of the flaw. 

WPA2 is a protocol that secures all modern protected Wi-Fi networks.

What does Vanhoef's report say?

1. An attacker within the range of a victim can exploit the weaknesses in WPA-2 using key reinstallation attacks (KRACKs) to read information that was previously assumed to be safely encrypted.

2. Information such as credit card numbers, passwords, chat messages, emails, and photos can be stolen. 

3. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites.

4. Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others, are all affected by some variant of the attacks. 

How does it work?

In this novel attack technique, an already-in-use key is re-installed, and then the key is reset which allows the encryption protocol to be attacked. 

When a machine like a laptop or smartphone connects to a Wi-fi network, the two gadgets carry out a four-way handshake (network authentication protocol). For example: The process involves confirming that the user's phone has the right password to connect to the network. It reinstalls an already-in-use key, which then resets the key and allows the encryption protocol to be attacked

What should you do to protect your device from cyber attack? 

To prevent the attack, users must update affected products as soon as security updates become available. Note that if your device supports Wi-Fi, it is most likely affected, the report says.