What is the problem?
Belgian researchers have published information about a vulnerability in the most popular WiFi encryption protocol that makes monitoring of all communications possible, except those communications that are otherwise secured (for example, when communicating with a secure server or when using a virtual private network (VPN)).
For example, a person using a laptop to connect to a WiFi router to access the internet and who then logs in to an email account, views and amends a client pitch document, and then emails it across to colleagues to check, risks the potential interception and public dissemination of the contents of all of that material and the email account username and password, too.
Who does it affect?
WiFi traffic is very frequently encrypted via the WPA2 protocol. It is this protocol that has been cracked, meaning that traffic passing from computer devices (phones, laptops, tablets and the like) to access points (WiFi routers) can be intercepted and decrypted. The intercepted contents can then be read, unless they are otherwise encrypted. For example, if you are passing confidential material, trade secrets, usernames and passwords, personal data or sensitive material solely via WPA2 encryption (that is, you are not using a VPN or going through a secure website, i.e., one that starts with https:// or has the little lock icon), you are leaving yourself open for that material to be intercepted and read.
When will it be fixed?
As always, companies should ensure that they are frequently patching software and that they are using the most up-to-date versions available. Having said that, fixes will be slow to roll out, and Internet of Things devices with embedded WiFi are likely to be difficult to update. Employees who log on via their home networks may also be affected.
What should we do?
A good starting point for continuing to protect data and transmissions would be:
- Try to use https:// connections in order to be provided with an alternative encryption technique that is unaffected by this vulnerability.
- Update your WiFi router and endpoint devices as soon as patches and updates are available. Both elements need to be updated in order to address the issue.
- Consider the use of a VPN if you need to transmit particularly sensitive material and remain concerned.
What is the law?
There are data protection and cybersecurity laws and regulations in place across the majority of the globe, which are constantly in the process of being refined, updated and strengthened. The requirements on businesses are becoming increasingly challenging. Failure in this space is now a more significant issue than simply non-compliance. Regulators are becoming armed with a much more fearsome arsenal of powers, including the oft-quoted 4% of annual global turnover as the maximum EU General Data Protection Regulation (GDPR) penalty; data subjects are more aware of their rights than ever before, and a litigation culture is now becoming embedded; and reputational damage seemingly always flows from a data breach.
European Union Member States have very specific requirements under the EU Data Protection Directive (which is implemented into national legislation, such as the Data Protection Act 1998 in the UK). There is also sector-specific legislation that applies to cybersecurity for regulated businesses, such as financial services, public bodies and telecommunications providers.
In the US, there is a wealth of different legislative tools that compel appropriate levels of cybersecurity including in Massachusetts (201 Mass. Code Reg. 17.00, Standards for the Protection of Personal Information of Residents of the Commonwealth), Nevada (Nev. Stat. 603A.215) and New York (N.Y. Comp. Codes R. & Regs); the Gramm-Leach-Bliley Act; and the Health Insurance Portability and Accountability Act.
There will be very few (if any) businesses that are not subject to data security requirements. This vulnerability should therefore be on the radar of every client.