October 17th 2017
Yesterday (October 16th), research into potential global weaknesses to Wi-Fi systems, was published, and it is emerging that manufacturers are now providing – or planning to provide – patches to overcome the vulnerability. But it may not be an instant process.
The researchers claim that a flaw in the WPA2 security protocol found on most modern protected Wi-Fi networks leaves systems, devices and users vulnerable to data theft (for example, confidential information) and possible injection and manipulation of data. The weaknesses are said to be in the Wi-Fi standard itself … not individual products. It is not thought that easy-to-use attack tools have yet been made widely available to criminals who wish to exploit the flaw, which has been dubbed KRACK.
In response, the National Cyber Security Centre (NCSC) has published an official statement:
“It is absolutely vital that Wi-Fi networks are safe and secure, and the National Cyber Security Centre is committed to making the UK the safest place to live and work online.
“Research has been published into potential global weaknesses to Wi-Fi systems. The attacker would have to be physically close to the target and the potential weaknesses would not compromise connections to secure websites, such as banking services or online shopping.
“We are examining the research and will be providing guidance if required. Internet security is a key NCSC priority and we continuously update our advice on issues such as Wi-Fi safety, device management and browser security.”
Manufacturers' fixes on the way
Microsoft has said that it pushed out patches for Windows 7, 8 and 10 last week. Apple has said that its fixes for iOS and MacOS devices are currently at the testing phase, and will be rolling out "in the next few weeks".
Google has promised an Android patch on November 6th, but the only phones likely to receive it quickly are its own Nexus and Pixel branded devices. Devices from other manufacturers running on Android will require customised fixes – likely to take considerably longer.
– NCSC guidance on end user device security to home users and businesses can be seen here. It states risks associated with using Wi-Fi which must be considered and accepted before its use is permitted.
– NCSC guidance is a crucial part of ensuring that the UK has the capacity to manage the increasing cyber threat. It provides advice, not standards or policy. And because our guidance is advisory in nature, it provides a sound basis for users to make their own informed decisions.
– The NCSC’s 10 Steps to Cyber Security outlines the basic cyber security procedures to protect your organisation from cyber attacks, while Cyber Essentials allows organisations to advertise that they meet a government endorsed standard of cyber hygiene.
– The potential weaknesses in global Wi-Fi systems have been outlined by researchers in computer security from the University of Leuven. They have given the weakness the codename KRACK (Key Reinstallation AttaCK)
– As well as not compromising connections to secure websites, the potential weaknesses would not compromise connections to secure enterprise VPNs.