Reprinted from The Guardian
A huge weakness in wifi security erodes online privacy. But the real challenge is designing with human shortcomings in mind
This week’s security scandal is the discovery that every household with wifi in this country has a network that isn’t really private. For 13 years a weakness has lurked in the supposedly secure way in which wireless networks carry our information. Although the WPA2 security scheme was supposed to be mathematically proven to be uncrackable, it turns out that the mechanism by which it can compensate for weak signals can be compromised, and when that happens it might as well be unencrypted. Practically every router, every laptop and every mobile phone in the world is now potentially exposed. As the Belgian researcher who discovered the vulnerability points out, this could be abused to steal information such as credit card numbers, emails and photos.
It is not a catastrophic flaw: the attacker has to be within range of the wifi they are attacking. Most email and chat guarded by end-to-end encryption is still protected from eavesdroppers. But the flaw affects a huge number of devices, many of which will never be updated to address it. Since both ends of a wifi connection need to be brought up to date to be fixed, it is no longer safe to assume that any wifi connection is entirely private.
The story is a reminder of just how much we all now rely on the hidden machineries of software engineering in our everyday lives, and just how complex these complexities are. The fact that it took 13 years for this weakness to be found and publicised shows that no one entirely understands the systems that we all now take for granted. Also this week, a flaw was discovered in one of the widely used chips that are supposed to produce the gigantic and completely random numbers which are needed to make strong encryption truly unbreakable. Even the anti-virus systems that many users hope will protect them can be turned inside out. First the Israeli and then the Russian intelligence agencies appear to have penetrated the Russian-made Kaspersky Anti-Virus, a program of the sort which must have access to all the most sensitive information on a computer to perform its functions.
And then there are the known unknowns: the devices which most users do not even notice are connected to the net. It is estimated that there will be 21bn things connected to the internet by 2020, from baby monitors and door locks to cars and fridges. Billions of these are unprotected and will remain that way.
But this kind of technological failure should not blind us to the real dangersof the digital world, which are social and political. The information about ourselves that we freely give away on social media, or on dating sites, is far more comprehensive, and far more potentially damaging, than anything which could be picked up by a lurking wifi hacker. The leak of millions of user accounts from Equifax, the credit reference agency, is only the most recent example of the plundering of personal information by criminals.
Such hacks might be regarded as the outcome of technical wizardry, but are dependent on human shortcomings in recognising and fixing security flaws. Others would be impossible without tricking real users out of their passwords first. In criminal hands, social engineering beats software engineering every time, and the problems of the internet cannot entirely be solved by technical means. Until we design for human nature, no perfection of machinery can save us.