Microsoft has begun pushing out its May 2019 Windows 10 update, which will flag Wi-Fi networks that are using the outdated and insecure Wired Equivalent Privacy (WEP) and Temporal Key Integrity Protocol (TKIP) authentication mechanisms.
WEP was introduced in 1997 as part of the original 802.11 Wi-Fi standard; it was superseded in 2003 by Wi-Fi Protected Access (WPA), which used the TKIP mechanism to strengthen security. TKIP meanwhile became less common in WPA2 (released in 2004), and is nonexistent in WPA3 (released last year).
Both older protocols have known flaws that allow easy decryption by eavesdropping malicious types, but they’re still pervasive in older Wi-Fi networks. That makes man-in-the-middle (MiTM) and malware-injection attacks that much more effective.
Sivan Tehila, director of solution architecture at Perimeter 81, told Threatpost that the move is a good one given that the ins and outs of Wi-Fi security are not necessarily common knowledge – the average Wi-Fi user wouldn’t know how to vet a public network for the type of security it uses.
“As employees become more mobile, they use Wi-Fi more often, and most of the time they are not aware of the risks,” she said. “Meanwhile, attackers use Wi-Fi as their main vector attack by exploiting the weak security of old Wi-Fi technologies.”
This can have serious repercussions for companies. Devices that are compromised at a public hotspot (in an airport, say, or a coffee shop) can then carry an infection back to a corporate network, when they attach to corporate cloud apps or the company LAN, according to Patrick Hevesi, senior director analyst at Gartner.
“Let’s say the device becomes infected [with malware] and then you come into your organization,” he said during a recent Threatpost webinar. “You join the VPN, you get onto the corporate Wi-Fi. You plug that device in through a USB into your PC or your Mac. The hackers are trying to listen for those different aspects [and connections], to possibly come into your organization as well.”
For users that get the new Wi-Fi warning notification in a public space, Microsoft said in a security update this week that users should disconnect from that Wi-Fi network and look around for other options (users can attach to a different network, or perhaps tether to 4G). For home users, “consider changing the type of security that your router or access point uses,” the computer giant said. “You can do this by signing in to your router using the software for it, and then changing the security type for your home Wi-Fi network.”
Terence Jackson, CISO at Thycotic, told Threatpost that raising awareness of the risk of connecting to Wi-Fi using legacy protocols is obviously a positive step, but it’s not a panacea.
“Consumers should still be aware of the need to still exercise good cyber-hygiene when connecting to open Wi-Fi networks,” Jackson said. “Just because your network is using up-to-date standards, doesn’t automatically mean it’s secure.”
Tehila noted that businesses should also be on notice beyond rejecting outdated authentication protocols.
“Organizations hold the responsibility to build trusted wireless environments, protecting their employees and customers from hackers who might easily exploit the weak or non-existent security of traditional and old Wi-Fi networks,” she told Threatpost. “Security teams have to include in their cybersecurity strategy the implementation of updated Wi-Fi security technologies, patching their systems frequently and training employees to be more aware of Wi-Fi risks.”
Want to know more about Identity Management and navigating the shift beyond passwords? Don’t miss our Threatpost webinar on May 29 at 2 p.m. ET. Join Threatpost editor Tom Spring and a panel of experts as they discuss how cloud, mobility and digital transformation are accelerating the adoption of new Identity Management solutions. Experts discuss the impact of millions of new digital devices (and things) requesting access to managed networks and the challenges that follow.