As digital accountants, data security is of paramount importance to us and our clients. To this end we are always researching the latest security issues that the industry faces to ensure we are prepared to face them, and our data is kept secure.
Recently news has come in regarding a WPA2 exploit that allows unauthorised hackers to access protected data sent via wi-fi. WPA2 is very commonly used, and is the de-facto standard for almost all home and small business Wi-Fi communications.
Whenever your device connects to your wi-fi network, it first has to ‘handshake’ with the network to confirm such things as correct password usage before access is granted. The standards that are used in this process, previously thought to be 100% secure, are called WPA2. This new hack does not directly attack the password itself, in fact the hacker will not find your wi-fi password using this attack. Worryingly, this is not a necessity as the hack still gives them access to data being transmitted, regardless of the password used. Therefore simply changing your wi-fi password will not prevent this attack. What needs to be changed is the software running WPA2 on your router, and this isn’t something that you can change yourself. Developers will need to write new versions of this software in order to ‘plug the gap’.
The new exploit (called KRACK – short for Key Reinstallation Attack) is what is known as a ‘man in the middle’ attack. The hacker will need to be in range of your device, at which point they can setup a wi-fi access point that mimics your existing and legitimate wi-fi access point in your router. The hacker will send information to your phone forcing it to switch over onto their comprimised access point. The issue here is that many devices now use a default all-zero encryption key to secure their data, and it’s this that allows the hackers to see your information.
At this point, they don’t have your wi-fi password, but they can see the data you are transmitting through their access point. For this reason, changing your wi-fi password won’t help
A key part of this attack is the disabling of HTTPS requests. When you access or send information to a website, it is either an HTTP or HTTPS request. HTTPS uses secure encryption and is what gives you the green padlock in the address bar to reassure you that your connection is secure. If you are a victim of the KRACK exploit, you won’t see the green padlock appearing on websites, instead you will get a non-encrypted HTTP version.
At this stage, all you can do is refrain from entering any personal or secure information into any website that doesn’t clearly display a green padlock or ‘secure’ symbol in the address bar. If you are a victim of the attack, and you enter a password into a website, the hacker will have your password details as well. If you notice that you are no longer getting HTTPS versions of websites (i.e. no padlocks) then your network may be compromised. As for other information being transmitted (files, emails etc), if the connection isn’t secure or the data isn’t encrypted, the hacker will have a copy of the data. The saving grace here is that the hacker has to be in wi-fi range of your device to carry out the attack, it is not something that can be done remotely. Therefore attacks will have to be physically targeted.
Aside from this, the industry is now well aware of this exploit and how to fix it. In time, the makers of routers and access points will upgrade the firmware (the software that runs on the device itself) to fill the gap. In many cases such as broadband routers, your ISP will automatically provide a fix to the device over your broadband connection, although it’s not clear how long this will take. Android and Linux devices are also earmarked as being the most at risk, so it’s important to keep your mobile phone software updated in case a fix is released by your network operator.