Wireless hack raises Data Protection Act compliance risk

One data protection law expert said that firms will have to review their processes in the light of the technical breakthrough or risk breaking the terms of the Data Protection Act (DPA).

Wireless, or Wi-Fi, networks are used by many companies to transfer data around the company. Firms relying just on the standard WPA or WPA2 encryption to protect data may have to re-consider, according to security consultancy Global Secure Systems (GSS).

It said that technology invented by Elcomsoft has undermined WPA security. Elcomsoft's software uses powerful graphics processors usually used in gaming to guess network passwords.

"This breakthrough in brute force decryption of Wi-Fi signals by Elcomsoft confirms our observations that firms can no longer rely on standards-based security to protect their data," said David Hobson, managing director of GSS.

The Data Protection Act is based on eight principles. The seventh demands that companies take technical precautions to protect data.

It states: "Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."

William Malcolm, a data protection law specialist at Pinsent Masons, the law firm behind OUT-LAW.COM, said that companies needed to ensure that their wireless security does not fall foul of this requirement.

"When it comes to personal data the law requires that organisations put in place appropriate technical and organisational safeguards," he said. "This is a moving feast – organisations need to assess what is appropriate in the light of evolving market practice, the cost of implementing measures as well as the nature of the data and what harm could result from its disclosure."

"If organisations are aware of security failings then they should re-assess whether a solution remains appropriate," he said.

GSS's Hobson said that the security breach was predicted but that the use of graphics cards to speed up the process made a theoretical possibility a reality.

"Brute force decryption of the WPA and WPA2 systems using parallel processing has been on the theoretical possibilities horizon for some time – and presumably employed by relevant government agencies in extreme situations – but the use of the latest NVidia cards to speedup decryption on a standard PC is extremely worrying," he said.

Elcomsoft said that its Distributed Password Recovery product is intended for use by government agencies, data recovery and password recovery specialists and corporate users. "[It] offers the fastest password recovery by a huge margin, and is the most technologically advanced password recovery product currently available," it said in its description of the product.

If security is weak, the risk for a company that operates a wireless network only to provide users with internet access is relatively low. The network could be vulnerable to being exploited for free internet access; and any illegal online activity carried out by a network intruder will be traced to that company's network. The risk is higher if the wireless network is used as the company's internal network, with private and valuable information travelling through it without further encryption.

Companies which use wireless networks without further encryption should move to virtual private networks (VPNs), said GSS. "We now advise clients using Wi-Fi in their offices to move on up to a VPN encryption system," said Hobson.

A common encryption technology for Wi-Fi networks used to be WEP, but that has been discredited. Companies have mostly moved to WPA or WPA2 because it was regarded as safe, a view that is now likely to change.

Hobson said that the news could result in a replacement of some wireless networks with more traditional wire-line networks.