A significant and critical flaw has been discovered in Wi-Fi Protected Access II (WPA 2) by a researcher in Belgium. This vulnerability potentially leaves users’ devices open to attack when connected to Wi-Fi.
The US Computer Emergency Readiness Team (CERT) said today “several key management vulnerabilities in the four way handshake of WPA 2 security protocol” were discovered.
Patches are being made available for routers and Access Points. Devices using Android 6.0 or above, and Linux are particularly vulnerable to attack.
We are actively looking at patching customer devices and advising on patching clients. However in the meantime we would advise that businesses and consumers adopt the same security stance for private Wi-Fi networks as they would for public Wi-Fi networks. This research has exposed a flaw that opens up private networks in the same way that public Wi-Fi networks cannot be trusted.
By adopting the following guidance, and training your employees to be vigilant, businesses can help protect their data while fixes are being rolled out.
Make your employees aware of this flaw, and soon. Educate them on the risks of connecting their corporate (and own) devices via Wi-Fi, and keep reminding them of the risks involved. Even after patches are installed to protect private Wi-Fi, it’s still critical that employees receive regular training in IT security.
2. Get wired
If practical, make wired connections available for all your staff during this vulnerable period.
3. Don’t auto connect
All devices should be set so they don’t automatically connect to any network, even known “trusted” ones. There is no such thing as a trusted network, now that this flaw has been uncovered. Double check the settings on all devices.
4. Turn off
Turn off Wi-Fi on all devices when not in use. This extra small step will help protect your devices, making them non-discoverable by a “bad actor”.
5. Don’t share
This is a good time to turn off file sharing and AirDrop options and enable built in firewalls. If you have to use Wi-Fi, be careful what you’re accessing. Issue a company-wide policy on file-sharing and set out simple step by step procedures to ensure it is followed.
6. Keep up to date
As part of your internal communications around this issue, you should actively encourage all employees to accept and install updates as soon as they are offered. You should also fully audit your antivirus and anti malware software, to make sure they’re up to date and fit for purpose.
7. Use HTTPS
Train your employees to look out for the green padlock in the browser and to use HTTPS websites, as a reassurance that the website is protected.
8. Use a Virtual Private Network (VPN)
The best protection from an untrusted network is direct, encrypted access to a trusted one. Using a Corporate VPN when you’re out and about will ensure data is encrypted between you and the service provider.
9. 4G access
Another network that helps get around the Wi-Fi vulnerability is the 4G network. If you have coverage, use your mobile network to access the internet. But don’t use your phone as a hotspot – it will create a Wi-Fi connection between devices, which creates the vulnerability we’re trying to avoid.
Multi-factor authentication will help protect devices and data from compromised passwords, especially if the same password has been used across many services. While a “bad actor” might be able to get hold of your password, without the 2nd or 3rd factor, they won’t be able to get access to data.
If you are unsure of how this discovery could affect you, and what action you should take, please contact us.