One data protection law expert said that firms will
have to review their processes in the light of the technical
breakthrough or risk breaking the terms of the Data Protection Act
(DPA).
Wireless, or Wi-Fi, networks are used by many companies to
transfer data around the company. Firms relying just on the
standard WPA or WPA2 encryption to protect data may have to
re-consider, according to security consultancy Global Secure
Systems (GSS).
It said that technology invented by Elcomsoft has undermined WPA
security. Elcomsoft's software uses powerful graphics processors
usually used in gaming to guess network passwords.
"This breakthrough in brute force decryption of Wi-Fi signals by
Elcomsoft confirms our observations that firms can no longer rely
on standards-based security to protect their data," said David
Hobson, managing director of GSS.
The Data Protection Act is based on eight principles. The
seventh demands that companies take technical precautions to
protect data.
It states: "Appropriate technical and organisational measures
shall be taken against unauthorised or unlawful processing of
personal data and against accidental loss or destruction of, or
damage to, personal data."
William Malcolm, a data protection law specialist at Pinsent
Masons, the law firm behind OUT-LAW.COM, said that companies needed
to ensure that their wireless security does not fall foul of this
requirement.
"When it comes to personal data the law requires that
organisations put in place appropriate technical and organisational
safeguards," he said. "This is a moving feast – organisations need
to assess what is appropriate in the light of evolving market
practice, the cost of implementing measures as well as the nature
of the data and what harm could result from its disclosure."
"If organisations are aware of security failings then they
should re-assess whether a solution remains appropriate," he
said.
GSS's Hobson said that the security breach was predicted but
that the use of graphics cards to speed up the process made a
theoretical possibility a reality.
"Brute force decryption of the WPA and WPA2 systems using
parallel processing has been on the theoretical possibilities
horizon for some time – and presumably employed by relevant
government agencies in extreme situations – but the use of the
latest NVidia cards to speedup decryption on a standard PC is
extremely worrying," he said.
Elcomsoft said that its Distributed Password Recovery product is
intended for use by government agencies, data recovery and password
recovery specialists and corporate users. "[It] offers the fastest
password recovery by a huge margin, and is the most technologically
advanced password recovery product currently available," it said in
its description of the product.
If security is weak, the risk for a company that operates a
wireless network only to provide users with internet access is
relatively low. The network could be vulnerable to being exploited
for free internet access; and any illegal online activity carried
out by a network intruder will be traced to that company's network.
The risk is higher if the wireless network is used as the company's
internal network, with private and valuable information travelling
through it without further encryption.
Companies which use wireless networks without further encryption
should move to virtual private networks (VPNs), said GSS. "We now
advise clients using Wi-Fi in their offices to move on up to a VPN
encryption system," said Hobson.
A common encryption technology for Wi-Fi networks used to be
WEP, but that has been discredited. Companies have mostly moved to
WPA or WPA2 because it was regarded as safe, a view that is now
likely to change.
Hobson said that the news could result in a replacement of some
wireless networks with more traditional wire-line networks.
