Today’s global headlines are full of the breaking and shocking news that Wi-Fi’s WPA2 security has been broken and is vulnerable to attack putting practically every device at risk. What’s really shocking though is that it’s not breaking news at all. Internet vendors were informed about this issue months ago, but appear not to have acted on it.
The weakness in the wireless protocol WPA2—dubbed KRACKED—was discovered by Mathy Vanhoef and Frank Piessens, security experts at Belgian university KU Leuven, in their paper Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2.
On the KRACKED site the researchers point out: “Although this paper is made public now, it was already submitted for review on 19 May 2017. After this, only minor changes were made. As a result, the findings in the paper are already several months old.”
And they add; “We sent out notifications to vendors whose products we tested ourselves around 14 July 2017. After communicating with these vendors, we realized how widespread the weaknesses we discovered are. At that point, we decided to let CERT/CC help with the disclosure of the vulnerabilities. In turn, CERT/CC sent out a broad notification to vendors on 28 August 2017.”
Linux say they heard about the weakness two days ago and released a patch today. So it took them one day to fix this problem. Then why have more vendors have done nothing, despite being informed by the researchers months ago? Oliver Wessling Director of NOS Microsystems has some ideas. “Maybe there is no in revenue in patching up this issue. Maybe user security is not their concern unless there is bad press about it. Maybe they don’t care.”
At NOS Microsystems we do care about user security. It is our business and our bread and butter, and if hackers are peeking at your data through your Wi-Fi, you can be sure that they cannot see anything you have in get2Clouds where every action is encrypted.