As many of you are aware, a vulnerability in the WPA-2 protocol has been discovered as per detail here.
How bad is the problem?
- The vulnerability can impact any device that uses WPA2 to connect to a Wi-Fi network
- Patches are not yet available from all vendors (see below)
- A malicious actor could inject malicious data into un-encrypted HTTP connections
- Other data, not encrypted at the application, transmitted over the wifi connection could be intercepted and read
- The vulnerability is yet to actively exploited in the wild
- An attacker has to be “in range” of your wifi network to launch the attack
- The attack is complex
- Many communications on internal networks are already encrypted
What can I do?
While we are not currently advising customers to turn off wifi completely, there are some mitigation steps that can reduce the risks presented by this vulnerability, these are:
- Consider the use of client VPN’s over wifi where you already have them to guarantee privacy of data in transit
- Ensure that your asset management practices are complete in regard to wifi infrastructure, so that when patches are released by your respective vendor that these can be applied to each and every vulnerable piece of equipment immediately
- Ensure that any existing IoT (i.e smart TV’s presentation endpoints etc) are part of the patching regime
- Where you have the capability to do so, tune your access point radios to limit building leakage
- Where possible, turn off access points that are rarely used
- Patch as soon as the updates are available
- Sweep your network to identify any “orphan” access points after updates
- Always use VPN’s or TLS applications when using untrusted networks such as those presented in hotels
Vendors are in different states of addressing this issue as per below: