Details of a serious security vulnerability in a Wi-Fi protocol everyone uses were made public overnight last night. The flaw could potentially be coupled with other security issues to take over nearby devices, although we don’t expect to see compound attacks straight away.
Of more immediate concern is that website content could be intefered with in transit and passwords stolen. This is being covered by NZ Herald here and Radio NZ here.
All PCs, mobile devices and Wi-Fi access points need updating urgently to protect against this rather serious security vulnerability.
What we’re doing (for our managed services schools and other customers)
- We are skipping some of our internal tests and more urgently pushing out Windows updates to schools for October, which contain a fix for this issue. You’ll see PCs wanting to apply security updates today.
- Other customers should have Windows Automatic Updates enabled.
- We will be urgently updating all UniFi managed wireless access points tonight.
- For schools with WSNUP Huawei Wi-Fi, we have not yet heard from Huawei about updates, we will check daily.
What you may need to do (both at work and at home)
- If we’re not managing your Wi-Fi, check with your Wi-Fi MSP for updates urgently.
- If you have an iPhone or a Mac, either at school or at home, make absolutely sure it installs all available updates. Apple have advised they will be releasing security updates for iOS and macOS “soon”.
Staying on top of updates is the best (and only) way to ensure you are protected as and when Apple release their fixes.
- For any home Windows PCs you have, the same applies – make sure they are automatically updating. This is usually switched on by default for Windows 7, 8, and 10.
- If you have an Android phone (this includes Sony, Samsung, HTC, LG, Huawei etc), we strongly recommend you do not use public Wi-Fi even if it is secured, until you know for sure your phone has been updated. It looks like Android updates are not coming until November 6 at the earliest, with many vendors likely to take some time to make updates available. To check, go to Settings > System > System updates and look for “Security patch level” where it will show a date. The 6 November 2017 patch is expected to resolve this issue. If you don’t see “Security patch level” at all, your phone may never get updated and we recommend you replace your phone.
- For your home modem: if you have a recent Spark or Vodafone modem (less than three years old), we expect that Spark and Vodafone should automatically update these in due course. If you have a different modem, check with your internet provider when they will release an update.
If you have any questions relating to this vulnerability, please get in touch with us.