At the moment, however, anyone who needs to be HIPAA compliant really needs to be aware of this, as should attorneys, accountants, and anyone in the financial industry. Anyone in that list should take steps to ensure they’re keeping patient/client data secure as it goes out to the world, whether that’s in emails, forms you’re filling out for insurance providers, and so forth.
Every situation is different, so there’s no easy “here’s what you need to do” solution I can lay out here. This is even more true with WiFi than most things in tech since WiFi devices can be from literally hundreds of vendors and every individual’s needs are different. Regardless, after reading this, if you’re concerned, you should call me ASAP so we can discuss this. If you haven’t got my contact details already, drop me a line at the contact link up top or right here. You should probably read the rest of this first, though:
So what’s the big deal, you say? The gist is there’s a way that bad guys can now invisibly eavesdrop on everything that your phone, laptop, tablet, or other WiFi connected device sends out to the Internet. (Yeah, that’s pretty serious!) Moreover, they can also potentially inject Really Bad Things(tm) into websites you’re visiting and you wouldn’t know it isn’t the site owner doing it. I won’t go in depth on the details of it all, since it’s not only dry reading but complex even for a professional geek. It’s 5:30PM as I type this and most of my day has been spent reading up on and digesting all of this!
What’s really concerning is that between when this was discovered and the paper written up, those working on the issue have learned it’s even easier to exploit and more risky than the paper itself describes. There just wasn’t time for any major updates because of the process for publication of such works. This new exploit is a problem for virtually everyone, in my opinion. If you look at how rarely I update this site, you can see that it takes something pretty big to get me to do so! (Most folks don’t need to know this stuff anyway, truth be told. That’s the job of a geek!) Regardless, this one merits a write up. While there is, at the time of this writing, no known malicious use of this it is only a matter of time after any such disclosure until the bad guys kick into high gear.
What matters most right now is if you can update your devices you should (not that this is really new advice, of course). The issue for many is not every device currently has an update released. There are things that can be done to mitigate the problem, however. It’s quite important for folks to know that this has existed since day one of WiFi’s use of this standard and we’re only now learning of it so it doesn’t matter how new or old your WiFi device is, at this point you are probably vulnerable to it!
This sort of thing is exactly why it’s critical to make sure your systems are set up with such problems in mind as much as possible, instead of just set up using whatever the defaults are out of the box. That way, if you end up hacked or even just vulnerable, the damage is mitigated as much as possible and the attacker’s job is that much more difficult.
Early this year a security researcher in Belgium, Mathy Vanhoef, found a serious flaw in WPA2 – the standard that all modern Wi-Fi networks should be using to keep their transmitted data private from “eavesdroppers”. This research was disclosed privately to many companies this summer and only made public this morning at a security conference. (This lead time gives most vendors time to craft a fix, though sadly many simply will never do so.) These researchers named their exploit KRACK, short for Key Reinstallation AttaCK. (Yes, these names are often kind of forced but the catchier names get more attention and, thus, get fixed faster.) Here’s an excerpt:
The attack works against all modern protected Wi-Fi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites. The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected.
This is a real problem, folks, though it doesn’t mean the sky is exactly falling since there are some things we can do to mitigate the risk. It does mean this impacts a wide variety of devices running Android, iOS, Linux, OpenBSD (on which Apple’s desktop and laptops are based) and of course Windows. So please, contact me or another IT professional if you have one as soon as humanly possible if you have any duty to keep data private! (Heck, even if you don’t, for that matter but I am admittedly biased …) So until we know your devices (phones, tablets, computers, routers, modems, etc) are up to date and you’re doing all you can to keep private what needs to still be private, you should be very cautious what you do online!
Here’s another link to my contact page in case you don’t already have my number.