Posted by Jonathan Clarke - 24 October 2017
There has been a lot of discussion about WiFi security recently. In this post, we’ll cover the basics of WiFi, best practices and an update on the recent KRACK security vulnerability.
WiFi is obviously an essential way to connect your devices to the internet. We use WiFi to make connections when we’re at home, work, out and about or travelling.
At home or work, ensure your WiFi is configured to use WPA2 (WiFi Protected Access 2). A WPA2 network will require a password immediately when you try and connect. Using WPA2 protects the data you and your apps send and receive by encrypting it, as it’s transmitted between your device and the WiFi access point.
There is a newly discovered issue with WPA2, which is discussed below.
If possible, disable WEP and WPA1 security - these are now easily compromised and should never be enabled on a business or home network.
The other common kind of WiFi connection you are likely to encounter regularly is known as unsecured, also referred to as open WiFi.
This type of connection is common with free public WiFi, hotspots, and hotel WiFi. Initially a connection is made with no password. Many configurations then present the user with a web page that asks for room booking details, payment options or terms and conditions to be accepted. Open WiFi means there is no encryption being used on the WiFi connection.
In this scenario, it is important to understand that it is technically possible for the data you are sending and receiving to be seen by someone else. For secure websites (these are often referred to as HTTPS and show a lock symbol on the browser address bar), the transmission of your data is considered safe. For non-secure websites all data transmitted can theoretically be intercepted.
Our recommendations when using open WiFi include:
- Any site you log into or contain personal information you’d rather not be seen should use HTTPS. Look for the lock symbol in the browser address bar
- General web surfing, watching YouTube videos, etc is generally considered safe
- For any sensitive sites (e.g. banking sites), even if HTTPS, you may like to consider using a VPN or using mobile 3G/4G data instead
- When connecting to open WiFi, never accept a certificate or profile if you are prompted to install one.
I’ve heard about the KRACK vulnerability, do I need to be worried?
A major vulnerability in the WPA2 standard has been recently been revealed with the discovery of the KRACK WiFi hacking.
There has been quite a lot of discussion of this in the media, some of it balanced and legitimate and some of it overly alarmist. The KRACK hacking has shown it is now theoretically possible for someone to intercept your traffic even when using WPA2, which had previously been considered secure.
Despite some media coverage to the contrary, this vulnerability really only affects the client device e.g. your mobile device, tablet, phone, IOT, or computer with WiFi. Some access points that utilise mesh technology to extend a WiFi network are also affected.
While this sounds bad and widespread, it’s still possible to remain safe. Here are some steps you can take to protect yourself:
- Update all of your devices. At the time of writing, we are still waiting for updates for Android. Windows, Linux, iOS 11.1 and macOS 10.13.1 updates are available now
- If your device can’t be updated because of its age, and you use it for web access and apps, you may want to consider replacing it, or at least be aware you are vulnerable
- When using a device that isn’t updated, apply the same safety practices we suggest for open WiFi networks discussed above
- Although not a specific fix for KRACK, it’s good practice to keep your access point firmware up-to-date
- Review what devices you have connected to your WiFi network, including IOT devices like cameras, home automation devices, etc - if these are not updated, they are vulnerable to this security issue
- Review and consider what access to your corporate or business network is possible via WiFi. You may want to restrict and/or remove access from WiFi
If this advice is followed we still consider WiFi connections over WPA2 relatively safe and OK to use.
- It’s still safe to use WiFi
- Understand how to connect to the internet safely on open WiFi networks. Follow these guidelines when connecting to open networks or from unpatched devices
- Update your devices and firmware regularly
- Understand which of your devices can’t be updated and whether any unencrypted (non SSL/HTTPS) data they transmit, that could now be intercepted, is a security risk to you
- Consider using a VPN when using particularly sensitive websites or transmitting sensitive data
As soon as information about KRACK started to filter in, Sandfield’s cybersecurity team were on the case. We assessed the risk for our customers, then distributed and actioned a plan for dealing with KRACK. If you’re looking for proactive, practical security advice, feel free to drop us a line.