Vulnerability of Wi-Fi WPA2 networks

Back to News

A serious vulnerability affecting the Wi-Fi Protected Access II – WPA2 protocol has been discovered. A potential attack would work against most Wi-Fi network setups e.g. the original WPA, WPA2, and even against networks that only use the Advanced Encryption Standard (AES) technique.

Every time a vulnerability affects the security of a network or a cryptographic protocol, a wide range of devices or services are potentially put at risk.

This vulnerability enables an attacker to modify the protocol’s handshake, which can essentially lead to intercepting the internet traffic of a Wi-Fi network. Also, depending on the network configuration, the attacker could inject and/or manipulate data without owning or breaking its password security.

The affected devices such as smart devices, Internet of Things (IoT), routers etc. might never receive a patch addressing the issue.

A potential attacker who is in the physical proximity of a protected Wi-Fi network and carries out this attack performs a ‘man-in-the-middle’ attack. The attacker can essentially intercept or decrypt internet traffic without owning any passwords or cryptographic keys. Therefore, changing the Wi-Fi password would not be of help.

The EU Cybersecurity Agency ENISA has collected and analysed information on this situation and has issued a cybersecurity info note. This provides a comprehensive overview of the event and key recommendations on how to proceed in case people and organizations are affected.

Despite the fact that this vulnerability is present in the Wi-Fi standard and thus affects a very large number of devices, Wi-Fi users should not panic. This issue can be resolved through software and firmware updates.

While waiting for manufacturers to prepare and push patches for their devices, you should either apply the available security measures or to use the 4G mobile internet connection deliver by your carrier instead of a Wi-Fi connection.

For each of your Wi-Fi enabled devices, check with the manufacturer or vendor and apply patches as soon as they become available. Also, apply security measures on different layers. For example, use only HTTPS websites and trusted Virtual Private Network (VPN) providers. If you’re an organization, you should separate your wireless network from the enterprise, wired networks.

All EU Member States regulatory authorities are aware of the seriousness of the situation. They have issued warnings, alerts or other relevant information that include also recommendations for end users.