Computer scientists at the University of California, Riverside, have discovered a security flaw that affects all Wi-Fi routers. Hackers could exploit the weakness in the transmission control protocol (TCP) and perform a web cache poisoning attack to steal passwords, login information, and other private data. Unfortunately, a fix isn’t possible, as the vulnerability stems from a 20-year-old design based on TCP and Wi-Fi. To prevent hackers from using the exploit, researchers recommend that manufacturers build routers that operate on different frequencies for transmitting and receiving data.
Fortunately, this attack technique won’t work with encrypted sites that use HTTPS and HSTS. Users on Ethernet connections are similarly not affected. Given that the attack won’t work on encrypted sites, most users who browse the internet on a modern browser shouldn’t be affected. Many browsers, including Google’s Chrome, already warn users if they visit an unencrypted site.
TCP works by breaking down data into manageable chunks, called packets, for computers to communicate. The data packets begin with a random first number, but the subsequent numbers in the sequence will predictably increase, and hackers can guess the next number to intercept communication between the sending and receiving computers. Given that there are approximately 4 billion sequence numbers, it is difficult for hackers to make a correct guess.
“But if the attacker can figure out which number triggers a response from the recipient, they can figure out the rough range of the correct number and send a malicious payload pretending that it comes from the original sender,” the researchers wrote in a blog post detailing the attack. “When your computer reassembles the packets, you’ll see whatever the attacker wants.”
When the victim visits a website that’s controlled by the hacker — who can be connected remotely using a different Wi-Fi network — the site will run a JavaScript that creates a TCP connection to a banking website. The exploit will work if the victim stays on the site for as little as 1 minute. Hackers can display pirated movies, for example, in an attempt to lure the victim to stay on the site for longer. While the victim is on the site, the hacker can guess the sequence number for the banking packet and inject a malicious copy of the bank webpage into the victim’s cache to steal passwords and login information.
This web cache poisoning tactic ensures that the victim will always see the malicious site whenever they try to visit the banking website in the future, and the malicious copy of the site can sit in the browser cache for deacdes or until the victim clears the cache.
