Wifi, the ubiquitous way to insecurity!

I’ll add that I am in a cafe writing this using, you’ve guessed it, a wifi hotspot however am using a VPN — so that must be secure (it’s not assured either, so I will just have to hope!)

Now that some of the dust has settled following the disclosure of the KRAK attach on WPA2 where should you consider going now? WPA2 has been in use for for well over 10 years and replaced WEP protocol on Wi-fi (but not before it too was recognised as insecure)

Wireless in its very nature is insecure. Think about it, you broadcast your devices details, get a handshake with another device and as if by magic, you’re connected. Except it’s not quite that simple. You can already be phished by fake Wi-fi hotspots.

With WPA2 there is actually a 4 way handshake. This, as it turns out is the attack vector used to KRAK the security. The 4-way handshake was mathematically proven as secure. Public-private key encryption on its own, when using best practice is very secure, when 1 key locks the data (the public key) and another is used to unlock it (the private key). The key challenge with this are the layers on top of this, that ultimately can create work arounds. (I feel like someone should explain some of this to the UK Government, that seems not to be in favour of encryption and favours mechanically breakable back doors!!!)

When KRAK was demonstrated, they used poorly implemented ssl on match.com to work around the security and to capture the users credentials. The demonstration was elegant and showed how easily you as the user could be easily convinced you were on a trusted site. What about banking, email, messaging… the list goes on and as long as there is the chance for mistakes to be made then Wi-fi security is your last line of defence, except when it’s not.

A good VPN can help mitigate some of this as well as device level systems preventing connection without a VPN. The other, use a wired connection. This creates a physical barrier that then means that nefarious individuals need to overcome.

I’ve seen examples where faraday cages were setup around data centres, however these should not be relied upon. It makes the physical management easier but at what cost? Some of these only cover the horizontal plane and may be imperfect above (think drone with antennas). Another route is All it takes is a drill and an antenna to get round this and then means the physical security of the site could be tested.

Wi-fi is a fantastic convenience, as as with all conveniences there are trade offs. It might be nice to check your email in the tube or save your data allowance by using a cafe hotspot. Your office Wi-fi may be really handy for working flexibly.

It may be ok to you to take the chance with your own data, but would you take the same chance with your employer or clients data? Your business sensitive data? Strategy papers? IP? Ask, what could someone do with access to your email, Facebook, Twitter and all of your online accounts…

What can you do?

As suggested a well implemented VPN is a good start. Do your research if getting one privately.

If looking to apply this to a range of corporate devices, consider what device management is in place on these devices.

If there is a BYOD policy in place do you have encrypted containerisation with application level VPN in place (such as Blackberry Enterprise Services)

Avoid using public hotspots, could there be a ‘man in the middle’ between you and the hotspot? If you absolutly have to, use a VPN and check the name of the network to connect to with staff in the location.

Make sure your devices are up to date. Windows, MacOS and iOS have been patched already and Android and Linux builds have patches in the works. It might not help if your carrier or phone manufacturer is in a state of discombobulated discomfort and doesn’t know what to do. See my colleague Ian’s blog for a take on this!

These are just a starting point for how you may want to consider your data security strategy when you are on the go. No system is uncrackable, and those that say their system is, are arrogant, naive or both.

I know how I will connect to the internet in public and private in the future, and now.

Thanks to Mathy Vanhoef @ https://www.krackattacks.com for his research and insight on this.