Over the last few weeks there have been a couple of security issues discovered with wireless communications. The first was with Bluetooth and the second was with Wi-Fi’s WPA2 protocol. Both have major implications for private communications.
The Bluetooth vulnerability called “Blueborne,” which allows someone to take control of your device, was discovered earlier this year. It was made public after patches were released by Microsoft, Google and Apple. This vulnerability has, to our knowledge, only been utilised in a lab as a proof of concept. The big issue with this vulnerability is that you do not have to be connected to any network. Even if your Bluetooth is “off” or not paired it may still be working trying to communicate with other devices and therefore vulnerable. Another issue is the proliferation of Bluetooth devices. There are estimated to be over 8 billion devices that could potentially be infected. That is a huge number of devices that can be used for data mining, crypto currency mining, and creating general mayhem. The good news is that Apple IOS Version 10 (iOS10) and above are immune. Microsoft issued patches in July and Google issued patches on September 9th.
The other vulnerability, “Krack” is the WPA2 protocol.
Krack affects almost all wireless network connections (Wi-Fi). As yet there are no known exploits in the wild, but there also are no known fixes for it either. The exploit allows people to steal data that is going over the connection. There are three simple ways to help protect against Krack:
- Keep up to date with your patches. When a fix is available you will be one of the first to be protected
- Keep using WPA2. You are better with a broken security system than with no security system. The alternatives are WPA and WEP both of which are easily cracked and vulnerable to plenty of malware in the wild.
- Wherever possible use SSL/TLS (HTTPS) encryption between your browser and the servers. That way if they breach WPA2 they also have to decrypt the SSL pay packets. Let’s not make it any easier for them than it already is.
The important things to remember are: Do not panic. These (at this point in time) are just laboratory discovered vulnerabilities and no one has at this stage taken advantage of them for their own gain. If you don’t need to use your device wirelessly then turn the communications portion off. Some devices actually have a hardware switch that allows you to disconnect the device. If not then use the software. And most importantly of all, keep patching your devices as soon as you can after the patch is released. Nowadays it is safer to patch and deal with any teething issues than to wait and/or test the patches when there are known exploits out there. Stay safe.