Client Alert: Significant WiFi vulnerability exposed

Transcription

1 Client Alert: Significant WiFi vulnerability exposed

2 What is the problem? Belgian researchers have published information about a vulnerability in the most popular WiFi encryption protocol that makes monitoring of all communications possible, except those communications that are otherwise secured (for example, when communicating with a secure server or when using a virtual private network or VPN ). For example, a person using a laptop to connect to a WiFi router to access the internet and who then logs in to an account, views and amends a client pitch document and then s it across to colleagues to check, risks the potential interception and public dissemination of the contents of all of that material and the account username and password too. Who does it affect? WiFi traffic is very frequently encrypted via the WPA2 protocol. It is this protocol that has been cracked, meaning that traffic passing from computer devices (phones, laptops, tablets and suchlike) to access points (WiFi routers) can be intercepted and decrypted. The intercepted contents can then be read, unless they are otherwise encrypted. For example, if you are passing confidential material, trade secrets, user names and passwords, personal data or sensitive material solely via WPA2 encryption (that is, you are not using a VPN or going through a secure website (i.e. one that starts with or has the little lock icon), you are leaving yourself open for that material to be intercepted and read. When will it be fixed? As always, companies should ensure that they are frequently patching software and that they are using the most up-to-date versions available. Having said that, fixes will be slow to roll out, and Internet of Things devices with embedded WiFi are likely to be difficult to update. Employees who log on via their home networks may also be affected. What should we do? A good starting point for continuing to protect data and transmissions would be: 1. Try to use connections in order to be provided with an alternative encryption technique that is unaffected by this vulnerability. 2. Update your WiFi router and endpoint devices as soon as patches and updates are available. Both elements need to be updated in order to address the issue. 3. Consider the use of a Virtual Private Network (VPN) if you need to transmit particularly sensitive material and remain concerned. 2

3 What is the law? There are data protection and cyber security laws and regulations in place across the majority of the globe, which are constantly in the process of being refined, updated and strengthened. The requirements on businesses are becoming increasingly challenging. Failure in this space is now a far-wider issue than simply non-compliance. Regulators are becoming armed with a much more fearsome arsenal of powers, including the oft-quoted 4% of annual global turnover as the maximum GDPR penalty, data subjects are more aware of their rights than ever before and a litigation culture is now becoming embedded, and reputational damage seemingly always flows from a data breach. European Union Member States have very specific requirements under the EU Data Protection Directive (which is implemented into national legislation, such as the Data Protection Act 1998 in the UK). There is also sector specific legislation that applies to cyber security for regulated business, such as financial services, public bodies and telecommunications providers. In the US, there are a wealth of different legislative tools that compel appropriate levels of cyber security including 201 Mass. Code Reg , Standards for the Protection of Personal Information of Residents of the Commonwealth; Nev. Stat. 603A.215; N.Y. Comp. Codes R. & Regs; Gramm-Leach-Bliley Act; and, Health Insurance Portability and Accountability Act. There will be very few businesses that are not subject to data security requirements (if any). This vulnerability should therefore be on the radar of every client. We have a market-leading global team of specialist lawyers that advise on data protection and cyber security matters from compliance through to breach, regulatory investigation, enforcement, and litigation. 3

4 Your key contacts Paula Barrett Co-Lead of Global Cybersecurity and Data Privacy and Practice Craig Rogers Liz Fitzsimons James Hyde Gayle McFarlane David Cook UK Senior Associate Michael Bahar Co-Lead of Global Cybersecurity and Data Privacy and Practice Mark Thibodeaux US Associate Mary Jane Wilson-Bilik Mark D. Herlach Bob Owen Al Sand US Associate

5 This document is intended as a general overview and discussion of the subject dealt with. The information provided here was accurate as of the day it was created; however, the law may have changed since that date. This information is not intended to be, and should not be used as, a substitute for taking legal advice in any specific situation. The authors are not responsible for any actions taken or note taken on the basis of this publication. Where references or links are made to external publication or website, the views expressed are those of the authors of those publications or websites which are not necessarily those of the authors of this document, who accept no responsibility for the contents or accuracy of those publications or websites. eversheds-sutherland.com Eversheds Sutherland All rights reserved. Eversheds Sutherland (International) LLP is part of a global legal practice, operating through various separate and distinct legal entities, under Eversheds Sutherland. For a full description of the structure and a list of offices, please visit 5