It sounds like some new blues rock band, but it’s the latest in attacks against wifi technology. I mean, we all knew we weren’t really as safe as we pretended we were; sending data through the air is inherently leaky. That’s why radio works in the first place, but now the measures we thought gave us reasonable security, don’t.
Overview
- A new vulnerability affecting all WPA2 connected clients means an attacker could compromise clients even on password protected wireless networks.
- This targets client-side systems and is unlikely to affect routers except in bridged mode in some instances.
- Microsoft has already released a patch in their October 10th security updates.
- Apple is currently working on a patched release to be released on all MacOS, iOS and tvOS devices. AirPort routers are unaffected.
- HTTPS and VPNs continue to keep you secure as they always have and provide an effective mitigation technique.
They have a logo, it must be serious!
Actually, it is if mostly because it affects more than just negligent system administrators. Standing for Key Reinstallation Attacks, this vulnerability exploits key weaknesses in the standard WPA2 protocol used to encrypt your wifi connections. If you care about the technical details, the researchers who discovered this do a far better job than I could explaining how it works, but anyone with the 4 minutes to spare should watch the video which shows just how easy to execute the attacks are and how far-reaching their effect, especially against a common android device.
To sum it up, in a few minutes an attacker could compromise your connection and gain access to logins and passwords you use daily. This vulnerability affects all standards-compliant WPA2 devices. That is to say, if you enter a password on your wifi to protect your connection, you are vulnerable.
Woe is me! All is hopeless!
Not true, there is good news in all of this! The attack exploits a client-side vulnerability. Which means you are in control of the solution, not whoever it is that updates Starbucks Wifi firmware. Besides that, there are some steps that can be taken to ensure you’re a little bit safer out of the office.
OK, What can I do?
Most manufacturers of major wireless equipment have issued or are actively working on patches for this vulnerability. Microsoft has already issued an advisory documenting the vulnerability and issued a fix in their October 10th Security update. Apple is currently finalizing their release and will release it across the board to all operating systems as soon as it clears beta.
So the best thing you can do is to update your computers and devices to their latest versions. Updates for Windows can be installed through Windows Update or the Check for Updates, setting and updates for MacOS are found in the App Store or under Settings > General > Software Update on iOS devices.
But there is no patch for me! How can I remain safe?
There are still steps you can take to ensure your data stays private and safe. And better still, they help protect you against the next, as-yet-undiscovered vulnerability in our wireless world.
VPNs
It’s possible you already have a VPN connection on your computer to connect back to your office when you’re away, but don’t think of the added security benefits the encrypted communications channel provides. If you already have a secured VPN connection setup on your computer or other device, consider turning it on any time you connect to wifi. This will encrypt your internet data traffic and help provide an extra layer of security.
To be noted, some VPNs (Mac and iOS by default) do not send all internet traffic over this tunnel and would still leave you vulnerable. While this setting improves performance of your connection, it still sends data directly over your internet connection. Verify your settings before relying on the VPN to keep you safe.
HTTPS
HTTPS is the secured version of the standard website data protocol. It requires websites to encrypt the data sent back and forth to your computer and was initially used only on sites like banking and e-commerce sites. Lately, however, it’s been getting picked up across the board as the de facto web standard for protecting your privacy. Always check that the website has the https: prefix before entering private data and, better yet, the green-indicating security bar that ensures the site’s security identifiers are properly vetted.
Consider installing the HTTPS Everywhere plugin to your browser. It’s made by the folks at the Electronic Frontier Foundation (who take internet freedom and privacy very seriously) and helps ensure that your computer makes secured connections to websites whenever it can.
Other Secure Protocols
This section may require some advanced knowledge, but if your email still isn’t using TLS to connect or you’re still using Telnet to connect to services, stop. Encryption is being made easier and easier thanks to organizations like Let’s Encrypt, Certbot and Keybase making complex encryption tasks trivial. SSH has been available as an alternative to telnet for far too long for there to be any excusable reason to use a plain-text connection for anything other than testing connections.
If you’re a bit more of a hacker you can build your own secure VPN tunnels at home with basic routing equipment and Open VPN or if you want to get really creative, tunnel All The Things over SSH and you can do really interesting (if not always practical) things.
I see the light in the darkness, but I don’t know how to get there
That’s an extremely metaphorical response to the problem, but that’s fine. We can help you out. Cage Data believes in a safe and secure internet and can help you or your business achieve that. If you’re worried about the problem and not sure if you’re at risk schedule a consultation and we’ll make sure you can get back to work without worrying about your privacy and security on the internet.