When you use a secure WiFi network, chances are the WPA2 security protocol is in place. It’s intended to prevent attackers or third parties from viewing data sent over the network. That means you can use browse, email, message, buy and bank with some peace-of-mind that people can’t see or steal your data and logins.
But a newly-discovered vulnerability of this protocol means things are no longer quite so safe. An attacker in physical range of a WiFi network can decrypt data going over the network, which means some of that sensitive material might now be visible.
The WPA2 WiFi vulnerability is bad, but there’s a couple of saving graces
1. The attacker needs to be in your network’s physical range
There’s no exploiting this from the other side of the world, or the country, or even the city. That point where your WiFi connection drops out? An attacker can’t be further away from that.
So the likelihood of an effective attack at your home is kind of low. But it is very much a concern in large networks, such as airports, conferences or even publicly-accessible places within your building where the WiFi still carries. Could someone sitting in a car outside your workplace be in range of your WiFi? Then they could probably get in.
2. It does not take away protection from properly-configured secure (https://) sites
Secure websites use an additional layer of encryption. The data that passes between your device and the website would just appear as gibberish to someone exploiting the WiFi vulnerability. This covers more and more websites, including online banking and most social networks and email services.
How can you tell if the website has https:// protection? Look for the padlock in the address bar.
What you should do to address the WPA2 WiFi vulnerability
If you use WiFi, you’re almost certainly vulnerable no matter what device you use.
But it’s a software vulnerability, rather than hardware – so all it will require is a patch or update.
Patches are on the way for all major devices and hardware. As always, we recommend you install security updates as they become available. We will advise clients individually about updating devices such as routers.
It’s unlikely attackers will be able to exploit this before patches for Windows, Mac and iOS are available, but it’s really important you do get those patches as soon as they’re out.
UPDATE 1 November: Both Microsoft and Apple have released security patches for their current operating systems. Be sure to update at your earliest convenience.
Android devices can take somewhat longer to be patched. We therefore recommend you hold off using public WiFi on these until you’re sure you’ve got protection.
And if you want to be extra vigilant:
- avoid using public WiFi networks – even those with password protection
- limit use of workplace and home WiFi if someone you don’t know or trust could sit within its range unnoticed
- avoid accessing sites without https:// protection (padlock in the address bar)