chas_m
Well-Known Member
You may have read in the news lately that the encryption key for WPA2, by far the most common standard for Wi-Fi access to the internet, has been demonstrated to be “cracked” and is now vulnerable. I thought I would — as briefly as possible — summarize what this means, and what you should do to protect yourself.
In short, it means that any Wi-Fi network is *in theory* hackable. The academics who demonstrated the vulnerability showed that it was pretty easy to reset the encryption keys on a compromised router to all zeros, meaning anyone could *conceivably* read all information being passed around on a given Wi-Fi network, including passwords and other sensitive information. In reality, this is not yet out in the wild and so your odds of being a victim of this sort of security compromise are low, but not zero. This is not a flaw in any OS, though some are much more vulnerable than others due to existing known flaws; it’s a problem with the standard used for Wi-Fi itself.
Operating systems can be protected from this flaw; the latest betas of Apple’s various OSes are already protected, and I would expect an update for all recent systems in the very near future. Of course, this doesn’t do anything for your router: you’ll want to check with your router’s manufacturer about a firmware update, and how to apply it. Here’s the latest list for router updates: https://www.windowscentral.com/vendors- ... nerability
This is a very serious vulnerability that is going to “catch” a lot of people with older operating systems or hardware, or devices running Android. As patches are announced and roll out, be sure to update BOTH your Wi-Fi router AND your operating system. There’s no word from Apple yet about patches for Airport routers, unfortunately, though OS updates are on the way.
What should you do in the meantime?
1. Avoid using public Wi-Fi hotspots, and don’t send or receive sensitive information (like credit card numbers, etc) over Wi-Fi networks. Your home network is *probably* safe if nobody lives near you, but everyone in a place where multiple Wi-Fi networks are present should be careful about doing anything of a sensitive nature on their Wi-Fi networks for the time being. Use an Ethernet connection if possible for home computers, and LTE/cellular for your phones.
2 Android devices are *especially* vulnerable to the suite of attacks needed to compromise devices, so in particular I’d strongly recommend using LTE/cellular only on those devices until you receive notification of a patch. If you have a Wi-Fi only iPad or Android tablet you like to use away from your home network, learn how to set up a Wi-Fi Hotspot using your smartphone to “share” the more secure LTE connection.
3. Since it is very likely that older operating systems and older routers will never be patched, the same advice I have given for years about public Wi-Fi spots still applies: assume they are compromised, and don’t do your banking/sensitive-info stuff on public networks.
4. In order to better secure your home Wi-Fi networks against this sort of attack, make sure your router’s Wi-Fi administration password is NOT set to the default, and create a new, very strong one if it is, or if you have a “simple” password on it. Likewise, it would be a good idea to strengthen/change your home Wi-Fi network’s password. These actions won’t stop the possibility of an attack, but they do make it more work for the attacker, and are good common-sense moves even without this threat.
I’ll post a link to any updates Apple hosts for affected OSes or hardware.
Cheers
Chas
In short, it means that any Wi-Fi network is *in theory* hackable. The academics who demonstrated the vulnerability showed that it was pretty easy to reset the encryption keys on a compromised router to all zeros, meaning anyone could *conceivably* read all information being passed around on a given Wi-Fi network, including passwords and other sensitive information. In reality, this is not yet out in the wild and so your odds of being a victim of this sort of security compromise are low, but not zero. This is not a flaw in any OS, though some are much more vulnerable than others due to existing known flaws; it’s a problem with the standard used for Wi-Fi itself.
Operating systems can be protected from this flaw; the latest betas of Apple’s various OSes are already protected, and I would expect an update for all recent systems in the very near future. Of course, this doesn’t do anything for your router: you’ll want to check with your router’s manufacturer about a firmware update, and how to apply it. Here’s the latest list for router updates: https://www.windowscentral.com/vendors- ... nerability
This is a very serious vulnerability that is going to “catch” a lot of people with older operating systems or hardware, or devices running Android. As patches are announced and roll out, be sure to update BOTH your Wi-Fi router AND your operating system. There’s no word from Apple yet about patches for Airport routers, unfortunately, though OS updates are on the way.
What should you do in the meantime?
1. Avoid using public Wi-Fi hotspots, and don’t send or receive sensitive information (like credit card numbers, etc) over Wi-Fi networks. Your home network is *probably* safe if nobody lives near you, but everyone in a place where multiple Wi-Fi networks are present should be careful about doing anything of a sensitive nature on their Wi-Fi networks for the time being. Use an Ethernet connection if possible for home computers, and LTE/cellular for your phones.
2 Android devices are *especially* vulnerable to the suite of attacks needed to compromise devices, so in particular I’d strongly recommend using LTE/cellular only on those devices until you receive notification of a patch. If you have a Wi-Fi only iPad or Android tablet you like to use away from your home network, learn how to set up a Wi-Fi Hotspot using your smartphone to “share” the more secure LTE connection.
3. Since it is very likely that older operating systems and older routers will never be patched, the same advice I have given for years about public Wi-Fi spots still applies: assume they are compromised, and don’t do your banking/sensitive-info stuff on public networks.
4. In order to better secure your home Wi-Fi networks against this sort of attack, make sure your router’s Wi-Fi administration password is NOT set to the default, and create a new, very strong one if it is, or if you have a “simple” password on it. Likewise, it would be a good idea to strengthen/change your home Wi-Fi network’s password. These actions won’t stop the possibility of an attack, but they do make it more work for the attacker, and are good common-sense moves even without this threat.
I’ll post a link to any updates Apple hosts for affected OSes or hardware.
Cheers
Chas