It has been announced today (16 October 2017) that there is severe vulnerability in the security of WiFi connections
Belgian researchers have identified a weakness with the WPA2 protocol used by the vast majority of WiFi connections that potentially exposes wireless internet traffic to malicious eavesdroppers and attacks. WPA2 is currently the recommended option for securing WiFi networks. If your network is not using advanced features like a virtual private network (VPN) or encrypted data, you could allow a hacker access.
This weakness has been given the codename Krack (Key Reinstallation AttaCK).
The United States Computer Emergency Readiness Team (Cert) issued a warning which was published this morning (16 October 2017):
“The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection and others,” the alert says, detailing a number of potential attacks. It adds that, since the vulnerability is in the protocol itself, rather than any specific device or software, “most or all correct implementations of the standard will be affected.”
This vulnerability will affect phones, WiFi systems in offices and public areas and many other devices.
What we know now is that hackers can not only eavesdrop but also inject malware into connected devices. It is still unclear how this vulnerability may be fixed, although some routers may be issued with a firmware update that closes this down.
Who is affected?
Everyone - especially those working remotely or in a home office, especially smaller businesses that run their business from their home. It is difficult to assess the severity of this situation at this time. If eavesdropping or hijacking scenarios turn out to be easy to pull off, people should avoid using WiFi whenever possible until a patch or mitigation is in place. When WiFi is the only connection option, people should use HTTPS, STARTTLS, Secure Shell, and other reliable protocols to encrypt web and mail traffic as it passes between computers and access points. Users should consider using a VPN as an added safety measure. Insecure connections to websites should be considered public until the vulnerability is fixed.
It is home internet connections that will remain difficult to secure as their wireless routers are rarely updated - and we believe that it is smaller businesses that are likely to be at risk, as they will probably use a domestic standard of WiFi in the office.
Keeping ahead of the issue
As a responsible service provider to the recruitment industry, we at Volcanic feel it is essential that we explain to our customers about the issue and the steps we have taken.
Our Chief Technical Officer, Matt Whiteley, is monitoring the situation closely as it unfolds.
We have been advised that there will be an industry announcement at 14:00 (GMT) today, which we will share.
With immediate effect Volcanic has taken the below preventative measures:
Issued an internal statement so all members of staff are aware of the issue and the measures we have put in place.
Restricted all phone use to phone use only. No mobile hotspots.
Suspended all other non-essential network devices.
To prevent vulnerability, we advise that users must update affected products as soon as security updates become available. In the meantime, we recommend you contact any WiFi service providers and your own technical team to ensure they prioritise implementing a solution as soon as one becomes available.
The Volcanic platform uses end-to-end encryption on all connections, meaning that should any communications be intercepted, they would be meaningless to the attacker. Use of secure HTTPS connections for all of our systems and all of our sites has been Volcanic policy for many years, as we are committed to the highest levels of protection around all data we handle.
Update - 18:00 October 16th
Microsoft has confirmed they have already released a fix for this issue to all supported versions of Windows, and it will have been applied by the automatic update tool. Business users should still be aware that company managed devices might not auto update depending on your company policy.
Google has confirmed a fix for Android is in the works, but there are concerns with how long it takes phone manufacturers to push official update to user's phones. Even flagship devices are several updates behind, so it could take months for users to be protected again.
Apple is yet to comment.
Learn more about cyber security with our free eBook: The Recruiter’s Guide to Cyber Attacks, Data Protection and Systems Security.