PHN Alert: WI-FI
A message from the Australian Digital Health Agency
Unencrypted communication that occurs over a wireless network (including email communication), should be considered unsecured.
As you may be aware, there has been a vulnerability in the protocol at that is used to authenticate wireless services. The below summary and attached technical alert provide some information regarding the vulnerability.
What has happened?
A security researcher (Mathy Vanhoef) has identified a vulnerability in the Wi-Fi Protected Access (WPA) protocol. This is currently the most common protocol used for securing wireless networks, and is considered the most secure protocol currently available. The vulnerability identified allows a malicious attacker to gain access to all unencrypted information traversing the wireless network, and potentially make changes to the information (for example inserting malicious content into a non-malicious website connection).
What is the impact?
All devices that connect to wireless networks are vulnerable, regardless of their operating system. Due to the way in which Linux has implemented the wireless protocol, Linux based devices vulnerable to a more severe exploit of this vulnerability. This includes all Linux distributions, android devices, and ‘smart’ devices that are based on a Linux distribution.
The vulnerability occurs in the communication between the wireless access point and the wireless client device when the wireless device is authenticating to the network. Therefore wireless routers and other wireless access points, as well as on all devices that are used to access the wireless network (computers, mobile devices, IoT devices etc) are all affected.
What can be done?
At this stage producers of network hardware and operating systems are expected to release patches over the coming days, and these patches must be applied as soon as practicable (some patches have already been released at the time of writing). As this impacts both the wireless access points and the wireless client devices, patches must be applied to wireless access points as well as to all devices that connect to wireless networks.
There is currently not an alternative secure protocol that can be used for wireless networks. The older protocol, WEP, is not secure, and there are well established exploits available in the wild for attacking it. It is therefore lower risk to continue to use WPA based protocols despite the newly identified vulnerability.
Until patches are released and applied, all unencrypted communication that occurs over a wireless network (including email communication, as it is generally unencrypted) should be considered unsecured.
The Australian Digital Health Agency has prepared a security alert.