Feds mum on ‘serious’ flaw in Wi-Fi security
Hackers could exploit hole if not addressed
OTTAWA • The federal government is tight-lipped about how a recent security flaw found in virtually all Wi-Fi devices is affecting its departments, but public servants bringing their work home with them could be at the most risk.
A hole in the most common Wi-Fi security protocol — dubbed KRACK and described as a “serious weaknesses” by the researchers who discovered it — set off a flurry of activity in the tech world, with device and software makers rushing to release fixes.
“It doesn’t appear that anybody has exploited it, and technologically it is a bit challenging to exploit, but it shows that if someone who’s talented puts their mind to it, (Wi-Fi) is vulnerable,” said Christian Leuprecht, a political-science professor at Queen’s University and Royal Military College, who has studied cybersecurity issues.
Shared Services, the government department responsible for IT, wouldn’t confirm if it was aware of the flaw or if the government has been affected. The department emailed a statement through a spokesperson saying it “remains vigilant in monitoring any potential threats and has robust security measures in place to address them.”
More than 8,000 wireless access points are in use by federal employees. The tech website Ars Technica wrote that “the vulnerability is likely to pose the biggest threat to large corporate and government Wi-Fi networks.”
The Communications Security Establishment, the national cryptologic agency, said it was not aware of any reported exploitation of the vulnerability and stressed to government departments that applying relevant patches “as soon as they are made available by vendors is key to protecting networks from vulnerabilities.”
Since the exploit could affect nearly every Wi-Fienabled device in the world, there’s almost no limit to what can be affected. Android and Linux devices are particularly susceptible to the KRACK issue, with Windows and iOS devices less so.
David Skillicorn, a professor at the Queens University School of Computing, said a likelier target than government Wi-Fi networks could be the home networks of high-level officials in the government.
If someone who works with sensitive information works from home using their Wi-Fi network it could be vulnerable if the router hasn’t been patched. Data travelling from the person’s phone or PC could be intercepted by hackers.
One mitigating factor is that an attacker would have to actually be in the area — or control a device in the area — which limits their ability to exploit this security flaw. Still, the vexing thing about the KRACK exploit is that it leaves secure networks vulnerable, so the people who went to the trouble of password-protecting their home networks are the ones affected.
In the wake of security problems like this and recent high-profile hacking incidents, there has been a move to more secure websites across the internet. More than half the web now uses HTTPS, rather than its insecure cousin HTTP.
Some sections of the government’s website still use the old, non-secure standard.
For example, a page on the government’s website where users can request a status update on document authentication is an unsecured HTTP website.
Information from the Chrome web browser says the site is not secure and that users “should not enter any sensitive information on this site (for example, passwords or credit cards), because it could be stolen by attackers.” The form asks for a user’s full name, telephone number, and complete address.
The United States government has adopted a protocol that requires secure servers across all government websites. The Treasury Board has plans for a “HTTPS everywhere” standard that is currently being implemented.
“Of course it’s a problem. These are reasonably straightforward things we should be doing. This is not rocket science, it’s a simple way of making sure all your communication is secure,” said Leuprecht.
A website explaining the U.S government policy makes a strong case for HTTPS. “Today, there is no such thing as non-sensitive web traffic, and public services should not depend on the benevolence of network operators,” it reads.