WPA2 vulnerability practical help & recommendations of the BSI

Who has followed the media of the last week, it will have been repeatedly pointed out that now his own Wi-Fi network at home as unsafe applies.

What is the reason for that?

What do the BSI say about that?

And what can you really do to be sure?

The WPA2 vulnerability

The reason why no one has noticed over several years that the secure authentication to wireless routers via WPA2 is not secure may safely be attributed to the US service "CIA" and also to the German secret service "BND". For the gap was already after information that also originate from the fund of Edward Snowden is likely to have been known before 6 years ago. The secret services wanted to use this gap but instead make this information publicly available. As a result, today almost 96% of all deployed Wifi routers and also the end devices are endowed with an insecure solution. That affects billions of devices worldwide!

This vulnerability makes it possible for strangers to gain access to the router's own network, and, like other devices that use the network, can gain access because of lower security in their own network. The most dangerous suspected option is to be able to redirect the data of all users leaving the router and to be able to read along with it. Which may also affect bank data, for example.

The problem of WPA2 problem.

So as just described, the first problem is that it affects every device on the market or in use, so there is no quick fix. The second problem is that it allows very rewarding new attack scenarios that will not be long in coming. And thirdly, it is unfortunately the case that most devices are barely protected from attacks from their own local network. (See the automatic Windows shares within your own network).

So it is relatively a serious and serious problem so far, but which will not get a quick fix. Until every user has new routers and new devices, we'll just have to live with this vulnerability!

What does the BSI say?

WPA2 vulnerability practical help & recommendations of the BSI 2The German BSI likes to take care of the safety of private users. However, they conceal that neighboring services like the BND have had to know that for years!

Well, what do the men of the BSI recommend?
Shortly you can summarize the statements on:

  • The problem will persist for a long time
  • There is no remedy
  • Protect every single device as if it were not in your own network.
  • Use for data transfer VPNTunnels to avoid the risk of monitoring or spying on sensitive data.

The relevant section of the BSI is:

"Use your Wi-Fi network as if you were dialing into a public Wi-Fi network, such as your favorite café or train station. Refrain from sending sensitive data or use one for that VPN-Tunnel, Wired surfing is still safe. Companies should sensitize their employees and take appropriate measures to protect their company networks. Security updates have been announced by several vendors and should be immediately incorporated by the user as soon as they become available, "explains Arne Schönbohm, President of the BSI. (link: Contribution of the BSI)

The statement with the VPNTunnel is therefore already remarkable, since this naturally always one of the most important arguments for the use of a VPNs is. In this case, however, only incoming and outgoing data over the Internet are protected against the access of alleged hackers, who have already connected to their own network.

What can you do now?

The WPA2 gap will keep us busy for years and there will be no solution in the foreseeable future. You can not get updates on all devices, and even if you can fix that via updates, they'll probably only affect newer hardware devices and never all. So we have to find a way to handle it.

Therefore the following practical tips that will secure your network:

  1. Check all security settings of all devices on your network.
    Put each one of them where they can, that they have no shares or lower security settings within their own network than they would if they were available. This also applies primarily to NAS (storage solutions), Windows computers, Mac OS computers, access to the router itself (password protection and SSL encryption as a MUST in accessing the configuration, etc.
  2. If possible, remove all non-protectable devices in your own network.
    So for example USB data sticks serve as a network hard drive and are connected to the router. Assume that even third-party access to your router could have and therefore access this data.
  3. Reset all existing firewalls of the individual devices back to "default setting" and delete all releases assigned over the course of time in order to set these up again.
  4. Check all devices to ensure that no sharing of folders or shared data on their own network is allowed.
  5. Use one for all your activities on the Internet VPNProvider of your trust.
    If you can, use this VPN-Service always and 24h a day (possibly by using a VPN-Routers!)

The main problem may be NAS or online storage solutions in your own networkbecause they synchronize and usually allow access from their own network with greatly reduced security settings. Therefore, check the settings of your NAS (Synology, QNap, etc.) and determine that these devices can only be accessed in their own network as restricted and secure as from the Internet.


Created on:10/31/2017

Leave a Comment