Vulnerability in Wi-Fi protocol affects many competitors

avatar Quebex Fintech Inc.
Oct 17, 2017

ZDNet is reporting--the internet and media will quickly follow--that a recently disclosed vulnerability in Wi-Fi puts nearly every device using the technology at risk.

This comes only months after reports of the BlueBorne flaws affecting nearly every device with Bluetooth enabled.

There is a list of available and upcoming patches for devices over at ZDNet that might be worth a look.

Notably, if you're using an iPhone or other Apple product, you're probably a couple weeks away from having a patch, but theoretically not at significant risk if you've got the latest updates.

Users with the latest Android phones using the 6.0 Marshmallow update, however, seem to be at the greatest risk.

In the simplest terms, the vulnerability makes it possible for someone near your Wi-Fi network to inspect your connections and potentially snoop on passwords (so that they can later log in as you and, perhaps, withdraw all your crypto currencies).

Typically, websites rely on SSL to protect your password (that's the basic requirement for the green Secure/Lock icon). Though this is certainly better than not using SSL, it isn't "good enough" for a site like Quebex.

That's why we don't rely on SSL.

When you log in to Quebex, your browser sends your username to our server, our server gives your browser two strings that look like this: ERkjrnerbERBerljkngerberljbn42t2, and then your browser uses your password and the random characters to send us something that only makes sense for the single login attempt.

In short, if someone watches you log in, even thought they see what you send to our server, there's a better chance of them winning the lottery on their first play than managing to log in as you with what they see.

That's not to say you're completely protected. If an attacker manages to grab hold of your session information and pretends to be you, coming from the same internet connection, they'll be able to access your account as if you had logged in and walked away from your computer.

While they wont be able to withdraw your BTC, they will be able to--if it's a feature enabled on your account--post ads for $1/BTC. Quebex would of course see who buys at a large discount, so the ability for a hacker to profit by doing this is limited.

We ask users to be vigilant when accessing the Quebex platform, especially if using Wi-Fi on a new Android device with bluetooth enabled. A laptop or desktop computer with a wired connection and up-to-date security patches goes a long way to avoiding both of the vulnerabilities mentioned.

Users with balances and concerns over the potential impact of the vulnerabilities can ask for their account to be restricted from trading, or withdraw their balance to a disconnected location they control such as a Trezor.