Image: BeeBright / iStock / Getty Images Plus Images / Getty / iStock BeeBright Image: NETWORK VULNERABILITIES

Liz Fitzsimons Partner lizfi[email protected] David Cook Senior Associate Eversheds Sutherland, UK

WPA2 and the KRACK vulnerability: risks to organisations The discovery of a significant security flaw - revealed publicly on 16 October 2017 - in the security certification protocol Wi-Fi Protected Access II (‘WPA2’), a protocol used by a large majority of Wi-Fi transmissions, is a timely reminder that security cannot be taken for granted. Liz Fitzsimons and David Cook, of Eversheds Sutherland, assess the risks to WPA2 networks from the discovered vulnerability, and the legal and technical issues that could arise from the vulnerability being exploited.

WPA2 and why it matters to you businesses and organisations need to and organisations afected. In terms of the The stakeholders who pioneered consider and deal with. This is especially body legally responsible for the security Wi-Fi, the quick and reliable method so for those impacted by data protection of the afected data, there can be serious of transmitting and receiving data and other data legislation imposing data compliance consequences. These wirelessly, formed an alliance which security obligations, particularly those include regulatory enforcement action went on to own and control the ‘Wi-Fi impacted by the impending EU General and sanctions, including fines (all made Certified’ registered trade mark, the use Data Protection Regulation (‘GDPR’), public); individual compensation claims by of which it only allows for equipment which will apply in full from 25 May 2018. afected individuals, possibly on a class that meets very specific criteria1. From action basis; breach of contract claims 2006 onwards, this meant that to have Vulnerability from commercial partners; and damage to products designated as Wi-Fi Certified, The encryption used in WPA2 is not reputation which may impact share price, they had to make use of a specific broken and not all communications are goodwill and future ability to win business. security certification protocol called automatically laid bare. It has, though, Wi-Fi Protected Access II (‘WPA2’). Use been identified that there is a vulnerability Limitations of WPA2 has become so commonplace in relation to how encryption keys are Despite the media reports, the ability that it would actually be difcult to find exchanged as part of setting up the to exploit the KRACK vulnerability Wi-Fi transmissions occurring without it2. secure communications. That weakness is limited by several factors. can be exploited by an attacker to trick Discovery of the WPA2 security flaw victim machines into reinstalling keys Physical proximity limiter In October 2016, security researchers that are already in use, by manipulating An attack can only occur if an attacker or from the University of Leuven uncovered and replaying handshake messages. eavesdropper is within sufcient range a flaw in WPA2 that established a of the victim network. The stereotypical significant vulnerability in the protocol3. Where successful, this novel attack is not going to be able to use this The researchers referred to the technique can then be used to intercept attack against you, unless they are very vulnerability as a Key Reinstallation and read information that was previously close to the victim’s machine, making AttaCK (‘KRACK’) and the discovery assumed to be safely encrypted by the physical proximity limiter significant. was widely reported in the media, often WPA2, which could include sensitive in a somewhat exaggerated manner, information such as credit card numbers Secondary cryptographic security limiter such as with the headline: ‘Almost every and passwords, confidential or proprietary The vulnerability appears to be limited wi-fi connection in the world has been information, or other personal data. In to communications where the relevant hacked!’ Nevertheless, the KRACK terms of access to and potential misuse WPA2 protocol has not been suitably vulnerability raises some interesting of those details, this has serious potential enhanced by an additional overlaying technical and legal questions which consequences for individuals, businesses security layer. The internet has evolved

A Cecile Park Media Publication | November 2017 9 NETWORK VULNERABILITIES

continued

to be very secure and most internet well as the need to ensure ‘resilience’ of a major issue in reacting to news of trafc is protected by more than one of processing systems and services. It security vulnerabilities and patches. layer of security. In those cases, although also specifically requires an appropriate communications might still be intercepted ‘process for regularly testing, assessing Regulatory enforcement action and the WPA2 security stripped away, and evaluating the efectiveness’ of and lessons learned the transmissions may remain safely security measures. In addition, not only What does a data protection authority encrypted using a cryptographic protocol does this more explicit security obligation think of security breaches in such at the Transport or Application Layer, afect data controllers, but it will from May circumstances and how will it react? such as HTTPS, or through the use of 2018 also directly bite on data processors Although there are no regulatory a Virtual Private Network (‘VPN’). subject to the GDPR. As a result, both decisions yet on data security under customers using software and hardware the GDPR, guidance and experience Efective patching limiter and the suppliers of those products under the current legal security principle The researchers uncovered the must comply with this obligation. should at least be persuasive under vulnerability and reported it to vendors the GDPR and help us prepare for it. before the details were publicly Compliance becomes more important Regulator decisions to date on security released, in order that patches could as the other big changes in the GDPR obligations and breaches are therefore be prepared to remedy the issue. are mandatory breach reporting of likely to indicate the minimum that Vendors have been providing patches security breaches afecting personal will be expected under the GDPR. in software updates which should data to the relevant data protection help reduce the risk of attack. authority, with limited exceptions, Already there have been reported combined with the potential for the cases and fines triggered for breaches Legal position regulator to issue a fine of up to 2% in the context of published software Before breathing a sigh of relief about the of annual global turnover, potentially vulnerabilities and patches. In one limiters and assuming there is no ongoing at group level for a security breach. case, a business failed to implement issue, we suggest you read on and, if not appropriate security over a database already in hand, make some checks. Efect of a failure to that held the personal data (including The WannaCry attack financial information) of over 100,000 Security principle targeted vulnerabilities that customers. This was duly accessed by In the EU, current data protection laws, had actually already sought to resolve by a hacker, who gained access through such as implemented by the UK’s Data way of patches introduced two months exploiting a known vulnerability that Protection Act 1998 (‘DPA’), have a data previously6. The attack was therefore had not been patched. This was found security principle, imposing an obligation arguably avoidable and as a result, to be a breach leading to a penalty of on data controllers to take appropriate potentially, so too was much of the over £250,000. A similar case arose in technical and organisational measures estimated $6 billion cost of the attack7. relation to another vulnerability, when an against unauthorised or unlawful organisation took just over three months processing of personal data4. Although While that was troubling enough, the to install a patch released to fix the the security principle continues under NotPetya ransomware attack then issue. In that time, a hacker was able to the GDPR, rebadged ‘integrity and exploited the exact same vulnerability8 exploit the vulnerability and access data. confidentiality5,’ its impact spreads and the a month later9. Businesses should The data protection authority imposed importance of compliance with it increases. have been aware of the original a six figure penalty for these failings. WannaCry issue by then and would The GDPR have a challenge explaining why they We can learn several things from The GDPR explicitly references taking had not appropriately dealt with that these decisions and from our account of the ‘state of the art’ and vulnerability after three months. That experience of assisting clients to the likelihood of risk and its impact, as NotPetya worked at all is demonstrative manage similar cyber attacks.

10 CYBER SECURITY PRACTITIONER The GDPR explicitly references taking account of the ‘state of the art’ and the likelihood of risk and its impact, as well as the need to ensure ‘resilience’ of processing systems and services.

• The regulator clearly expects will now find that installing the most up to default,’ to build in data minimisation businesses and organisations to be date versions of applications, browsers and security from the outset for all aware of security flaws about which and wireless router software will remove systems and processes. Buyers will in they are alerted and to act on them. the vulnerability from the network future be far more concerned to receive • Organisations and businesses can altogether. It will be hard to convince assurances about data security and take a considerable amount of time regulators that failing to deal with a well- data controllers must ensure products to implement patches, often two known security vulnerability, especially and systems meet this standard. to three months and sometimes where an appropriate fix is likely to longer. There can be sound reasons have been released and is available Post-reform landscape why a patch cannot immediately be normally at minimal cost, meets the Risks caused by the KRACK vulnerability, adopted across a large and complex appropriate security standard required. first revealed in October 2016 but not IT estate whilst the implications of it widely known until almost a year later, are considered and worked through, Businesses and organisations should should be largely resolved by the but in the event of an attack in the check to make sure this action has been time the GDPR applies in full in 2018. meantime, it may be difcult to completed and if not, take appropriate Nevertheless, many data controllers will convince a regulator that appropriate steps urgently. In addition, but especially have simply neglected to implement prompt action had been taken. where a patch cannot be applied or the patches necessary to secure the • If data security and maintenance is adopted, can hardware be replaced, or personal data held and that might still outsourced internally or externally, can use be made of additional layers see regulatory enforcement around this checks are still required to ensure of security and encryption, such as vulnerability. In the event of a KRACK- the provider has implemented the through a VPN? Continuing use of areas based incident post May 2018 under patches and in a timely manner. remaining exposed should be minimised. the GDPR regime, it will be interesting • Even if no data is stolen or lost, to see how regulators respond and their the mere access to the personal The process and timing of noting and decision will give a valuable indication of data by an unauthorised person responding to such security updates the real extent of obligations in this area. involves a breach of security. should be considered. How long is • We have dealt with a number of it taking to become aware of such breaches where between a flaw being updates once made known? How long 1. https://www.wi-fi.org/who-we-are/history identified and a patch implemented, is it taking to adopt patches released 2. http://www.wi-fi.org/news-events/ there has been a data exfiltration as once available? Are they applied to key newsroom/wpa2-security-now- above. In each case, the business areas urgently? How can security and mandatory-for-wi-fi-certified-products checked and initially thought that even awareness of attacks and data exfiltration 3. https://papers.mathyvanhoef.com/ccs2017.pdf if there had been a compromise of be improved pending patch application? 4. Schedule 1, Part I, paragraph 7 of security, there had been no loss of If there are delays or problems, why is this the Data Protection Act 1998. data. In each case, on later, deeper and what can be done to reduce them? 5. Article 5(1)(f) of the GDPR. checking, it was found that serious 6. https://www.defensorum.com/global- data exfiltration had occurred and Suppliers designing software and reports-wannacry-ransomware-attacks/ the breach then had to be reported hardware should use the greater 7. http://www.independent.co.uk/news/business/ news/global-cyber-attacks-economic- and afected individuals informed. awareness to avoid repeating the losses-natural-disasters-catastrophic- vulnerability or similar issues. In addition -wannacry-cyence-a7844586.html What measures can be to suppliers becoming directly liable 8. Known as EternalBlue and reputed to have taken to reduce risk? for security under the GDPR, there is a been a vulnerability previously used by the NSA and released ‘into the wild’ as a result The patches made available to counter new legal obligation under the GDPR of the Edward Snowden data dumps. the WPA2 issue should normally have to ensure that use of personal data 9. https://www.kaspersky.com/blog/new- been implemented by now. Many users is subject to ‘privacy by design and ransomware-epidemics/17314/

A Cecile Park Media Publication | November 2017 11