Senior Online Safety - US CERTYour WiFi encryption and thereby your WiFi connection is at risk, is today’s headline. Security researchers have discovered a vulnerability in the WPA2 (WiFi Protected Access II) WiFi encryption protocol, which would make it possible for an individual in proximity to your wireless network to compromise the encryption between your device and your network device.

This morning, 16 October 2017, the Department of Homeland Security Computer Emergency Readiness Team (DHS-CERT) issued Vulnerability Note VU#228519, which provides the technical details, and links to the original researcher’s data.

What you should do

Device manufacturers will be creating software/firmware patches to address this identified vulnerability. When they do, they will be pushing to your devices this security update. Update your device as soon as you receive this update.

The reality is the likelihood your home’s WiFi encryption in your personal network being exploited today is very low, but it is not at zero. The hacker must be within range of your WiFi network to attack your network.

If you are in an urban area, you may be more vulnerable than those who live rural – just from a physical security standpoint, as a visitor to a rural farm stepping within the WiFi network footprint, may be more noticeable, than the individual sitting in the corner of a large coffee shop or in an adjoining building.  By the way, the also must have the technical acumen to pull off the man-in-the-middle attack.

In the interim, if possible, avoid use of WiFi WPA2 encryption by using your mobile network data connection. For those whose only option is the WPA2 encrypted WiFi connection, you may reduce the time available for the vulnerability to be exploited by turning your WiFi off when not in use, and only having it running when you absolutely need to transmit information.

Once you have updated your device, then you should continue to follow our advice on the use of secure WiFi encryption.

Which vendor’s WiFi encryption is vulnerable?

The following list of vendors have been identified as being affected by the WPA2 vulnerability, many others have been identified as status “unknown” for a complete list from the DHS-CERT, click here.

  • Aruba Networks 
  • Cisco 
  • Espressif Systems 
  • Fortinet, Inc 
  • FreeBSD Project 
  • HostAP 
  • Intel Corporation 
  • Juniper Networks 
  • Microchip Technology 
  • Red Hat, Inc. 
  • Samsung Mobile 
  • Toshiba Commerce Solutions 
  • Toshiba Electronic Devices & Storage Corporation 
  • Toshiba Memory Corporation 
  • Ubiquiti Networks 
  • ZyXEL