On Monday October 16, a major security weakness emerged in the public domain that has the potential to affect virtually every personal and business user of WiFi, worldwide.
And if you haven’t thought about the consequences for you and the clients you provide solutions for, it’s time to start.
Just in case you weren’t fully up to speed, Belgian researcher Mathy Vanhoef has unearthed a flaw in the WPA2 protocol that controls access to wireless networks. Known as Key Reinstallation Attacks (abbreviated to KRACK), it essentially works by tricking vulnerable client devices into thinking that a password key already in use is actually being newly installed.
As a result, internet traffic can be opened up to hackers in such a way that, during the process of establishing an internet connection, a device repeats sensitive data to identify itself. Taken further, this method could also be used to put malware onto unsuspecting websites.
What are the consequences and who’s most at risk?
Well, the good news (and yes, there is some for the time being) is that no known serious hacks have been made using this method at the time of writing. This is principally because Vanhoef’s findings were deliberately kept private until their release on October 16].
Now here’s the bad news. The potential risk of sensitive data interception posed to any WiFi-using device is so severe that everybody – including independent software vendors, system integrators and service providers like you – will need to carefully consider everything they use and do to make sure data is kept secure.
Some devices and users are more at risk than others, and there are some specific circumstances and pointers to bear in mind:
- Limited physical range of attack: To carry out an attack, a would-be hacker needs to be in range of the WiFi network he/she wants to access. This means that the risk for homes and offices is relatively low, depending on the surrounding environment, but public-facing WiFi networks (for example, a hotspot in a coffee shop) could be at much greater risk.
- Android devices are vulnerable: researchers have found that Android systems of version 6.0 or later carry a vulnerability that makes the ability to carry out this attack easier than for other devices. So newer Android phones – especially those which haven’t had regular software updates installed – could be at serious risk any time they’re connected to WiFi.
- Password changes are pointless: the nature of these attacks – targeting information rather than devices – would be such that a hacker doesn’t actually need the existing password to carry it out. So while changing a WiFi password might seem like a natural first step, it would be a complete waste of time in this instance.
So what should you do for your clients?
Of course, every ISV, service provider and system integrator will have a different set of clients, so approaches to handling the situation will obviously vary. Assessing each client’s data and device footprints to see if anyone or anything is particularly vulnerable pretty much goes without saying.
But there are two key steps which apply universally – and although they might sound like simple common-sense, the gravity of the situation means they’re definitely worth stating:
- Stay right on top of the fixes: an issue this serious means that there will be a multitude of patches, upgrades and firmware released across various hardware and software platforms to solve the problem. Indeed, some software creators have done so already.
As clients might be using a variety of different platforms, it’s therefore critical to keep abreast of new fixes so that you can take advantage of them as soon as they’re released. Even though this may well already be part of your regular operations, it’s worth considering making this habit a daily one, or perhaps even more frequently than that.
- Keep the lines of communication open: when your clients are seeing reports of security panic in the media, the last thing they want is to be kept in the dark by their provider. It can be tremendously helpful to them if you can keep them aware of the problem, its consequences and the protective steps both you and they can take where possible.
Some of these might not even be software-based, but suggestions in how workforces can change their practices to stay secure. For example, as Android users are at particularly high risk among mobile devices, employees using them on a BYOD basis can be encouraged to stick to their cellular data coverage when out in the field. Or, if they have to connect to public WiFi, they can be advised to only visit websites that are HTTPS secure, to utilise at least some extra protection.
Ultimately, from a provider point of view, a leave-no-stone-unturned, communicative approach can make your clients feel safer while you collectively weather security storms like these. And in turn, that can only help strengthen your client relationships and make you more likely to get repeat business from them in the future.
Sometimes dealing with security threats is about more than keeping the hackers out.
Start your free trial of leading-edge mobile security solution, IBM MaaS360, which can help keep your clients’ data safe.