The announcement that the WPA2 encryption standard, which is used to secure data traffic flowing over most Wi-Fi networks, is breakable is another blow to the security structures that keep most people safe on the internet.
The ad-hoc administrative and technical security infrastructure that has been kludged together over the years to support and secure internet users is failing by degrees. This particular vulnerability reopens an attack route that had previously been successful in gathering information by monitoring the traffic flowing from Wi-Fi systems. Typically, banking and other credentials were taken from exposed Wi-Fi connections and used to impersonate victims for financial gain.
The newly exposed vulnerability in the WPA2 encryption standard recreates these conditions. But this time, greater amounts of data flow over Wi-Fi networks and the rise of Wi-Fi enabled devices has added even more traffic into this mix. The solution will require a patch for many routers and other IOT devices and this is considered notoriously difficult given how slow this process can be. Given the differing array of Wi-Fi connected devices it is impossible to assess what effects the exposure of this data will have.
As with many of the new vulnerabilities discovered within our cyber infrastructure, this exploit has the most immediate impact for the people with the most to lose, including elected officials who face unprecedented threats to their personal and official data. Digital crime is a rational game of time and money, so exploring this new vulnerability against the most prominent and useful Wi-Fi targets will be the first order of business given that there is a degree of complexity associated with establishing this attack.
However, growth in the development of “crimeware” (as opposed to software) will see the packaging and simplification of this particular method of crypto-attack for wider use. Trickle-down cyberattacks have become a repeatable economic model used by the funders and developers of global cyber-crime to the detriment of all legitimate users.
Nobody should forget that the internet was never conceived as a secure system of data transfer and the patches slapped onto it over the years as more and more critical information is sent through it cannot be expected to endure. As legacy systems creak and crack under the relentless pursuit of malign or benign disruptors American citizens are increasingly left exposed to digital data loss at an unprecedented scale. As our lives have become more digital our personal data production has exponentially increased coupled with a matching increase in rewards for manipulating and packaging this data for nefarious gain.
The constant drumbeat of digital breaches has become deafening making it hard to discern the true signal in amongst the noise. However, it is becoming clear that events such as the Equifax breach represent a Cambrian moment for cyber security. In the past, it was possible to ignore the signs of increasing vulnerability for American families. This ignorance is no longer possible or acceptable. In juxtaposition, cybersecurity innovation has actually been tremendous during this time, with large corporations spending significant sums to secure their data promoting a host of new cybersecurity investment and development.
However, this innovation has not made its way towards those who can’t support the cost of cybersecurity infrastructure. This includes small but mighty professional financial and legal firms as well as other individuals in positions of influence. In order to be secure in this new world you need access to effective cybersecurity, typically through a large institution, creating a stark have and have-not situation around digital safety.
Access to information is one thing, but utilizing it securely is quite another. Therefore, we need is not more A.I., but more market innovation to spread the benefits of advancing cyber-defenses beyond the walls of large corporations and institutions. In the meantime, individuals and institutions without the ability to support credible cybersecurity teams will continue to be vulnerable to the dismantling of our patchwork defenses.
Roderick Jones is the CEO and founder of Rubica, a cybersecurity firm. He began his career with Scotland Yard’s Special Branch focused on international terrorism and the close protection of a British cabinet member.