Security researchers have discovered a huge flaw in WiFi that affects just about every gadget we use and could give hackers easy access to our networks and our devices.
The vulnerability surrounds WPA2, a type of security protocol that protects almost every router and home WiFi network in the world.
Belgian security researchers Mathy Vanhoef and Frank Piessens discovered the vulnerability and have already alerted major worldwide organisations including the United States’ Computer Emergency Readiness Team (CERT) who are expected to give a full statement on the vulnerability later today.
How does it work?
Without getting bogged down in the technicalities the vulnerability exploits the way that devices communicate with each other over a WiFi network and how they prove to each other that they’re genuine and safe.
WPA2 uses something called a four-way handshake in order to maintain an invisible wall against prying eyes seeing the information you access or send on your home WiFi network.
The handshake uses randomly generated encryption keys to allow devices to talk safely. The researchers however were able to break through this encryption by using a trial-and-error approach until they had successfully generated the encryption key.
This then gave them full access to the network and potentially all the un-encrypted information that was being sent around it.
What can they do?
Well the easiest thing they can do is just join your network uninvited and start using your internet.
They can also potentially hack into any smart home devices that are not properly encrypted including cheap or old webcams, baby monitors that aren’t secure or a number of smart home devices that either haven’t been updated recently or just don’t use encryption.
“Devices with embedded WiFi for secondary functional purposes, like TVs and baby monitors, are unlikely to get proper updates.”
As a protocol problem, it’s possible we will be forced to choose between security and functionality, and many users will choose the latter – it’s a difficult problem to weigh.”
Finally they can potentially access your browsing habits by seeing the unencrypted websites you’ve been visiting.
Under all of this however is a major caveat, hackers can only do this in person. You can’t just suddenly pick and choose a network on the other side of the world and start hacking in.
Is my WiFi network safe?
The short answer is no, probably not. In their blog post the researchers additionally point out that “any device that uses Wi-Fi is likely vulnerable,” as well.
What should I do now?
Speaking to HuffPost UK, Jarno Niemelä, Lead Researcher at F-Secure Labs explains the advice actually doesn’t change for normal consumers.
“The good news is that security advice doesn’t really change. Public WiFi is always thought to be untrustworthy and users should always use a VPN. And home and other WiFi access points under the user’s control should always be updated with latest ROM versions anyway.” he says.
So what can you do immediately? Make sure that all your devices are up to date, and that means all your devices including routers, TVs, any smart home equipment you might have.
Alex Hudson also makes an extremely good point in his blog which is that for the vast majority of us, our browsing habits and messages will still remain secure.
Any website that uses HTTPS (or a padlock symbol next to the web address) is completely secure. Luckily for the general public that’s pretty much all the websites we visit regularly.
In addition browsers like Chrome and Safari will warn you first if you’re about to visit an unencrypted website which should give you an extra layer of protection.
Remarkably, the one thing you actually don’t need to do is update your password on your router. This vulnerability goes well beyond a password so if you were to change it it would be for peace of mind only.
As mentioned earlier, there are likely to be a large number of updates coming for just about every device you own so keep an eye out and make sure you’re updating them as soon as you can.