Cybersecurity: Understanding the recent Krack vulnerability

A couple of weeks ago we woke up to the news that the technology most of our laptops, smartphones and tablets use to connect to WiFi networks has a major cybersecurity vulnerability[1].

This isn’t something that anyone could have predicted, beyond understanding that computer systems are complex and that it’s impossible for their creators to imagine every vulnerability they contain. This is an example of a security issue in correctly implemented and common technology, where (unusually) newer software is more vulnerable.

In short, this is the thing that keeps CISOs awake at night, the unknown but awaited problem.

Most manufacturers and service providers are still scrabbling to issue patches. In the meantime IT teams can only monitor networks and hope that the services employees use have enough additional security to counteract the problem.

But what does this actually mean for organisations who rely on WiFi to operate, what can they do to reduce their risk and what does this teach us about our everyday cybersecurity decisions?

WHAT THE NATIONAL CYBER SECURITY CENTRE IS SAYING[2]

  • There is no need to change Wi-Fi passwords or other enterprise credentials in response to the Krack vulnerability.
  • Hackers will not be able to use this vulnerability to connect to your network, but may be able to read some of the information you exchange if they are nearby. Using services that support HTTPS or connecting to the internet via a VPN should limit exposure to malicious parties.
  • Service providers and manufacturers will be issuing patches and device owners should make sure they stay up to date. Patching is here, and it’s here to stay[3].

WHAT DOES THIS TEACH US ABOUT OUR EVERYDAY CYBERSECURITY DECISIONS?

This type of cybersecurity vulnerability has the impact of exchanging a nice, confidential, digital equivalent of the Royal Mail for shouting across a crowded room. As with a crowded room, this doesn’t necessarily mean that anybody else was listening, just that it’s possible. It’s also unlikely that anyone outside the ‘room’ will hear – this is a WiFi vulnerability, the attacker has to be within range of the router you are connected to.

The biggest take-home message for decision makers is that this is only one of many layers of cybersecurity available to them. The companies who have considered the security of every device, application and service they use probably have multiple redundant layers of security… they can continue with business as usual and wait for the patch to arrive. Everyone else is at risk because they were relying on one piece of technology to provide all of their confidentiality.

This means that decision makers need to understand the other parts of the system that could leak data and where there may be a secure alternative:

  • Websites using HTML – the green padlock next to the URL indicates that the site is using encryption (HTTPS) to secure communications. That means information you enter is kept confidential as it crosses the Internet.
  • GSM – the older generation mobile networks have weaker encryption, so unless you’re on 3G/4G (this depends on where you are, not which service you pay for – providers will supply a GSM data connection to 3G/4G users where there is no other option) hackers may be able to listen in, just like they can with Krack.
  • Apps – many mobile apps do not encrypt the data they send. Anything you give permission for them to access may be sent entirely unencrypted. There are GDPR implications if, for example, an app you choose shouts your address book across the Internet. Choosing apps carefully and limiting the permissions you give them reduces this risk.
  • Bluetooth and the Internet of Things – devices from wireless keyboards, to printers and even lightbulbs can use wireless communication. They often connect to a hub or computer using Bluetooth, which does not have strong security. Instead of using encryption, these devices rely on the need to be close by and their proprietary protocols to keep information confidential. Look for devices that advertise that they use a well-known encryption standard if you are worried about these devices leaking data.
  • A VPN would provide a secure tunnel, virtually placing those devices in the office network by encrypting all communications that pass through the unsecured networks.

Whatever choices you make, Krack shows us it’s always useful to have more than one layer of security protecting our communications.

Please be aware that these notes have been compiled for general guidance only and should not be considered as specific legal or technical advice.

About our Cybersecurity Series
Clayden Law has teamed up with technical expert, Emma Osborn. and over the next few months we will provide some back-to-basics analysis of the technical, legal and data protection issues surrounding cybersecurity, aimed at organisations’ non-technical decision-makers. Together, we’ll be highlighting key cybersecurity and data privacy fundamentals and looking at the interplay between law and practice in this area. For more information, click here

 


[1] http://www.bbc.co.uk/news/technology-41635516

[2] https://www.ncsc.gov.uk/krack

[3] https://www.ncsc.gov.uk/blog-post/time-krack-security-patches-out-again