Researchers in Belgium have broken the WPA2 wi-fi security protocol – the wireless security standard used by most consumer and business routers. We explain what this means for you and the security of your own wi-fi router.
UPDATE – Microsoft has announced that it has already developed a fix for the issue, which can be enabled by Windows users who apply the latest available security update. For more on what to do, scroll to the bottom of this article.
WPA2 is the security protocol that is used by the vast majority of wireless routers. It’s long been regarded as safer than the various protocols it has replaced. In effect, it carries most of the personal and business traffic on the internet.
According to reports from the United States Computer Emergency Readiness Team, the WPA2 protocol has been broken. In theory, this could leave home and business routers vulnerable to hacking and snooping. However, the risk remains theoretical at this point, and additional protections are in place on most sites that will protect your personal and financial data.
Wireless routers on test – we rate ISP and third-party wi-fi routers
What does the WPA2 breach mean for me?
By uncovering the vulnerabilities in the WPA2 protocol, there’s potential for hackers to eavesdrop on traffic carried by your router, attack devices connected to your router and even capture data that’s transmitted over your network.
As this vulnerability has been discovered on the security protocol, rather than in an individual website, for example, it means the consequences are potentially wide-reaching. The most important word here is ‘potentially’.
While vulnerabilities have been uncovered, there have been no attacks made yet, and this story is still evolving.
Extra protections in place
‘The WPA2 vulnerability won’t help a hacker to snoop on your Amazon activity or online banking’
It’s important to understand that you’re not instantly vulnerable to anyone and everyone online. Websites with https in the address have additional security in place. In effect, the data you send to those websites is protected. This includes your login details and any password or financial information you supply.
The WPA2 vulnerability won’t help a hacker to snoop on your Amazon activity or find out your online banking details, for example.
Which? security expert Andrew Laughlin says, ‘WPA2 being compromised as a security protocol has a potentially huge impact. However, it is important to stay calm at this stage.
‘Most reputable online shopping and banking websites use https, which brings an additional layer of security beyond just WPA2. That means accessing these sites over wi-fi is still safe, and the recently discovered vulnerability won’t change this.
‘As ever, be vigilant about whether you’re clicking links that lead to legitimate websites. Phishing scam emails can attempt to lead you to imitation sites and services, so be cautious when dealing with unsolicited emails asking you to log into your banking or shopping accounts. If you stay alert, you can still enjoy the web safely.’
What should I do about the WPA2 breach?
This isn’t something that can be fixed by updating your router password or changing the wireless band it transmits on. But, the good news is, a fix has already been released by Microsoft for Windows users. Installing this fix should be straightforward. Users of other operating systems are still awaiting confirmed security fixes, however.
Microsoft Windows users
- If you run Windows 7, 8.1 or 10, then a security patch fix has been made available already by Microsoft. To install this, click Start then search windows update in the Windows search box, and click Check for updates from the results. You’ll be notified of new security updates – install these immediately.
- Windows Vista and XP users will not receive these updates. That’s because both of these operating systems have had their Microsoft support ended. This means no further security fixes or operating system bug fixes. Microsoft ended support for Windows XP in 2014, and ended support for Windows Vista earlier this year. Neither are secure to use online without such updates.
Apple Mac and iPhone/iPad users
- Apple has not yet released a security update to ensure its Mac computers, iPads and iPhones are secured against the threat, but one is expected to be made available imminently.
- On an iPad or iPhone, tap Settings > General > Update and install any updates available under Software Update.
- On a MacBook or iMac, click the Apple icon (top-left) then click Software Updates to see if any are available. Alternatively, open the App Store icon then click Updates.
Google Android users
- The Android operating system presents a thornier issue. As there are so many variants of it, with different tablet and phone manufacturers, such as Samsung or Amazon, adding their own changes to the Android OS, it isn’t a matter of ‘one big update to release’.
- In an email to Forbes a Google spokesperson confirmed that it is “aware of the issue, and… will be patching any affected devices in the coming weeks”.
- Keep an eye out for any available updates to your Android device in the coming days and weeks. This should be available under Settings > Updates, though the exact steps vary from device to device.
Beyond security updates to your operating system, potential router firmware updates from internet service providers may be required. None of the major ISPs have yet confirmed what steps they intend to take, but the Wi-Fi Alliance – a network of companies responsible for wi-fi technology – has stated it is confident that software updates will be released to resolve the issue and that users can continue to connect to their devices.
Above all, there is no need to panic about going online. No attacks have yet been made, and provided you exercise good common sense while browsing online, plus install any system updates made available, your data should remain secure.