Earlier this week, a vulnerability was disclosed in the WPA2 security protocol that, in the worst case, could allow an attacker to potentially gain access to some or all of the encrypted information transmitted over a Wi-Fi connection.
This isn’t a bug, and it’s not a failure of one manufacturer or another. This is a weakness in the protocol itself.
If you use Wi-Fi on any device, it’s worth understanding how big of a risk this might be, and what steps, if any, you might want to take.
The steps to take, if you need to take them
The single biggest mitigating factor for the average computer user is that this is a wireless vulnerability, and therefore requires proximity. You need to be using a Wi-Fi connection, and the attacker needs to be within wireless range of your computer.
If you don’t use Wi-Fi, this is a non-issue. Nothing to see here. Move along.
If you do use Wi-Fi, then understanding your common surroundings is important. If you’re in some isolated area where, like me, anyone close enough to listen in to your Wi-Fi would be obvious and out of place, it’s possible you don’t need to take any additional steps other than updating software, which I’ll discuss below.
If, on the other hand, someone’s within range, and particularly if you consider yourself or your business a potential target, then there’s something you might want to do until the problems gets fixed: treat your wireless connection as if it were an open Wi-Fi hotspot with no encryption at all. In this case, that generally means:
- Use https wherever possible.
- Avoid sites that don’t use https.
- Consider using a VPN.
- Consider using your mobile device’s data plan instead of Wi-Fi in sensitive locations.
Or, if you can, switch to a wired ethernet connection.
The steps you need to take regardless
As it turns out, this is a relatively easy problem to address in software. As a result, most major manufacturers are pushing out updates that will fix the issue. Once your software is updated, you’re protected.
Take those updates as soon as they’re available. Bleeping Computer reports that for Windows 10, at least, your system may already be fixed, as the update was apparently silently included in the most recent patch Tuesday. That fact was only revealed when the vulnerability itself became public. (Sadly, this comes on the heels of a Windows Update problem causing many people to try to avoid updates. When it’s available, this is an update you want.)
This applies to any and all devices that use Wi-Fi.
And therein lies a different problem: not all devices will be updated.
Updates on older devices
It’s unclear if Windows XP or Vista will get fixes for this. It’s pretty clear older versions of MacOS and Linux may not get updates. In short: if your operating system doesn’t get security updates now, it’s probably not going to be updated for this protocol vulnerability. You’ll either have to live with it (see “steps to take” above) or update to a newer OS or device.
And yes, I said “device”. One of the areas considered particularly problematic is that of Android tablets and mobile phones. Almost all are at the mercy of the mobile company from which they were purchased, and many of the older models still in use are not getting updates of any sort. Some will get updates quickly, and some not at all. It’ll be important to know which boat you’re in.
When it comes to TVs and IOT devices, it’s unclear when, how, or even if they’ll ever be updated, and what the ramifications of that might be.
This is about clients, mostly
One final point: the fixes apply mostly to Wi-Fi clients — the computers and other devices you use which connect to the network wirelessly. Wireless routers and access points, as I understand it, may not be impacted in the same way. Nonetheless, be on the lookout for updates to your router or access point’s firmware related to this issue.
There’s one specific case that is impacted, and that’s a wireless range extender or repeater. These act as both clients and access points. Since they act as clients, connecting to another wireless router or access point, they would likely be vulnerable to this issue. You’ll want to update their firmware as soon as the manufacturer makes a fix available.