I suspect that virtually every attorney with an iPhone or iPad uses Wi-Fi in connection with the representation of a client. And if you are on a modern password-protected network, it should be reasonably safe to do so. Unfortunately, things became more uncertain yesterday when Belgian security researcher Mathy Vanhoef revealed that it was possible for a hacker to intercept Wi-Fi communications, even over a secure password-protected WPA2 network, and even if the hacker didn’t know the password. Yikes.
Lily Hay Newman of Wired has a good explanation of the flaw, which Vanhoef calls a Key Reinstallation Attack (KRACK). And while the technical details of the risk may go over your head (mine too!), an argument can be made that every lawyer using technology such as Wi-Fi needs to keep up with this stuff. For example, ABA Model Rule 1.6(c) says that lawyers shall take “reasonable efforts … to prevent unauthorized access to … information relating to the representation of a client.” What reasonable efforts should a lawyer take? Comment 8 to Model Rule 1.1 says that “a lawyer should keep abreast of … benefits and risks associated with relevant technology ….” And ABA Formal Opinion 477 (May 11, 2017) says that “lawyers must, on a case-by-case basis, constantly analyze how they communicate electronically about client matters” and must undertake “reasonable efforts to prevent inadvertent or unauthorized access.” Of course, keeping abreast of the risks is easier said than done considering that technology changes so rapidly, as do security risks.
That’s the bad news. Fortunately, there is good news for iPhone and iPad users. First, while every Wi-Fi device is at risk to some extent, those of use who use iPhones and iPads are at less risk than folks using Android. According to Tom Warren of The Verge, 41% of Android users are at risk, especially those using Android 6.0, because of the Wi-Fi implementation on those devices. The current version of Android is 7.0, but unlike iOS users, it is typically much harder for Android users to update their devices. There are many reasons for this, including that most Android phone manufacturers have no financial incentive to update older devices so they don’t do so. Fortunately, Apple makes it much easier to update iOS devices and makes its frequent updates available for a wide range of devices, so you can expect to continue to receive security updates long after you buy an iPhone or iPad.
The second item of good news is that Apple already has a fix for KRACK, as reported by Rene Ritchie of iMore. Apple says that the fix is currently in a beta version and will soon be available for all users. I’m not sure if this update will be in iOS 11.1 which I expect to come out in a few weeks (the one with the new Emoji in it) or if Apple will release a iOS 11.0.x update just to fix the KRACK flaw. (Similarly, Apple has a fix for KRACK in a beta version of macOS. And if you use Windows in your office or home, Microsoft similarly has a fix, as reported by Tom Warren of The Verge.)
What is currently less clear is whether you need to update both your iPhone/iPad and also your Wi-Fi router to fix this, or if just updating your iPhone/iPad is enough. That article from Rene Ritchie of iMore says that whether you need to also update your router depends on the brand of router that you can using. Of course, you have some control over the Wi-Fi router in your home and office, assuming that the manufacturer of your router releases an update. But what concerns me is that if you are using Wi-Fi in another location, such as a hotel or conference or even just at another law firm, how are you supposed to know whether (1) the router is one that is vulnerable and (2) that router has been patched? Hopefully we will soon get more information on how to confront this.
Note that there is another solution: use VPN. For a long time, I have recommended using VPN with your iPhone or iPad (and computer!) if you are using a public Wi-Fi network, but you can also use VPN on a private, password-protected network to protect yourself from any hacker using KRACK on the same network. You can set something up at your own law firm so that all of your users can use VPN over Wi-Fi to connect back to your law firm network, or anyone can use a third-party VPN service. For example, back in 2014 I reviewed a great app called Cloak; the name recently changed to Encrypt.Me and the service still works really well.
You could also avoid this particular hack by using cellular data instead of Wi-Fi. I’ve been doing that more and more myself now that I have an AT&T unlimited data plan, and nowadays AT&T LTE is often faster than Wi-Fi for me.
Hopefully we will learn more about all of this very soon. And when Apple does release the next version of iOS to fix this security flaw, I encourage you to install the update so that you have more protection when using Wi-Fi.