A flaw has been found in Wi-Fi Protected Access (WPA), currently the most widespread mode of Wi-Fi encryption, and some analysts are painting a gloomy picture. PC World reports that security researchers Erik Tews and Martin Beck have found a hole in the WPA encryption protocol that malicious users could exploit to steal data sent from routers to Wi-Fi-enabled computers. This same flaw may be used to send unsolicited data online, which may in turn lead to the downloading of malware, phishing scams, and all sorts of nasty Web-based threats.
However, Trend Micro Advanced Threats Researcher Paul Ferguson believes that WPA is not yet lost. “I think the security of WPA itself is still somewhat secure – this exploit is highly reliant on very susceptible situations,” he says. The exploit itself does not allow malicious users to steal information sent by computers to routers.
WPA was developed after several flaws in its predecessor Wired Equivalent Privacy (WEP) was identified. WPA was developed to accommodate two different ways to protect data, Temporal Key Integrity Protocol (TKIP) and Advanced Encryption System (AES). The flaw discovered by Tews and Beck only works on TKIP, which was partially based on WEP.
Other modes of Wi-Fi encryption are believed to be more secure than TKIP, which was the first solution created to improve highly non-secure WEP. WPA2 for example, usually allows both TKIP and AES encryption methods. So in essence, using WPA2 authentication with AES encryption still secures users’ Wi-Fi transactions.
Further, Ars Technica has quoted Tews saying, “If you used security features just for preventing other people from using your bandwidth, you are perfectly safe.” A long network key, a short rekeying time, and a busy network can also handily defeat this exploit.
Users shouldn’t be too scared of having their air-borne Wi-Fi data messed with. At least not yet. There’s no harm in switching to WPA2, though.