In the world of digital security, the Krack exploit is about as bad as it gets. Virtually every wireless device is exposed to some degree to the recently uncovered vulnerability in the WiFi Protected Access II (WPA2) protocol used to secure wireless communications. It will cause problems for months or years even in the devices that are the easiest to upgrade. Internet of Things devices, which generally have minimal security or ongoing support, will likely retain vulnerabilities for far longer.
As we discussed in a past blog post, there is a pressing need for an industry standard in IoT security. The Mirai botnet attack, which relied primarily on devices using the factory default password - demonstrated just how vulnerable unprotected devices are. The Krack attack is more sophisticated by a considerable margin. This makes it more difficult for hackers to implement, but it also means that simply changing your devices’ passwords won’t be enough to secure them.
“We’re probably still going to find vulnerable devices 20 years from now,” Atredis Partners Network Security Researcher HD Moore told Wired.
The Krack attack is especially pernicious because it doesn’t target any specific device or instance of WPA2 - the vulnerability exists in part of the protocol that is used to secure the communications between two devices in the first place.
Devices using WPA2 use a four-way handshake to establish a “nonse,” which is like a secret that both devices share. In digital cryptography, a nonse is usually a long string of numbers and/or letters that is only used once to verify the sender of a communication. However, the makers of the WPA2 standard realized that WiFi connections would sometimes be dropped. To facilitate quick reconnections, they allowed the same value for the third handshake to be used for reconnection.
The Krack attack exploits this vulnerability in the following way: Device one, a wireless router, and device two, a mobile phone, have established a secure connection and are exchanging data. Using device three, an attacker begins by recording device two’s third handshake and playing it back to device one. This prompts device one to encrypt data using parts of the same keychain that it is using to encrypt its communications with device two. By repeating this process several times and matching encrypted blocks of the same content, device three can obtain blocks of the same content that have been encrypted using the whole keychain. The attacker can then work backward to identify the entire key, allowing them to read the unencrypted contents of all communications between device one and device two.
If you’re doing some online shopping, those communications could include your credit card number and personally identifying information. Personal communications, web traffic, and anything else passing over WiFi would also be captured. Sensor data from Internet of Things devices are especially vulnerable because unlike emails or credit card data, these are unlikely to be secured with independent encryption.
There will doubtless be a flare-up of high profile attacks using the Krack exploit in the near future, but these will settle down as updates are rolled out to the most common consumer and business technology. In fact, the most common computer platforms are already safe from Krack or will be with an imminent update. The devices that will stay vulnerable are those that you might not think of as a computer or that you rarely interface with directly, like your wireless router. Unfortunately for smart buildings, many IoT devices fit neatly into this category.
The number of IoT devices has and is continuing to explode as consumer technology becomes cheaper and WiFi becomes ever more ubiquitous. Things like security cameras, utility meters, smart locks, and even refrigerators are now often connected to WiFi through the WPA2 protocol, and as such are vulnerable to Krack. (Note: Aquicore devices connect to the cellular network, not WiFi, and as such are not affected by Krack.) This data could potentially reveal information that could be used or sold by a malicious actor and have real-world effects. Utility meter data could reveal that a home or unit in a building is unoccupied, for example. Security camera footage could be stolen and used for blackmail. Devices with controls, like a building automation system or a smart lock present even more harrowing possibilities.
Perhaps the most alarming thing about this vulnerability is that the work required to patch each WiFi-enabled device is more than most users are willing to put in, all but ensuring that many, many devices will not be updated. Take Netgear, a household name in wireless routers, which, as Wired points out, deserves a gold star for releasing a fix for twelve of its router models on the same day that the Krack exploit became public knowledge. If you have a modern Netgear router, which you very well may, you could navigate to their website, download the relevant patch, log into Netgear’s access point web-management interface, and install the upgrade. Chances are you won’t do that for the same reason that almost no one else will - it’s complicated and at least a little bit intimidating. And even making that decision requires having read an article like this one - like most device manufacturers, Netgear has no way of contacting most of its customers.
So, what do we do? The unfortunate answer is that, in the short term, there isn’t much that can be done besides hoping that the exploit is too complex for most hackers to make use of and that not too much damage is done. Because most users aren’t high-value targets for hackers, the odds of any one of them being attacked are low. Critical systems will likely receive patches soon or be upgraded with new hardware, and new technology that comes out will generally not be vulnerable to Krack. Eventually, only a few devices that have slipped through the cracks (sorry) will still open to attack.
Long-term, it’s time to start getting serious about IoT security. Gartner estimates that there will be 50 billion IoT devices online by 2020, and if we continue along the current trajectory, it’s obvious that their security will be woefully inadequate. With luck, perhaps this will be a wakeup call that device manufacturers need to take digital security seriously. Ideally, IoT devices should be upgradeable and include some form of accessible user interface, and manufacturers should patch holes in security within a reasonable time frame.
In Washington, Co-Chairs of the Senate Cybersecurity Caucus Sens Mark Warner (D-VA) and Cory Gardner (R-CO) along with Sens Ron Wyden (D-OR) and Steve Daines (R-MT) introduced a bill August 1 to improve the security of IoT devices by imposing a minimum standard for devices purchased by the U.S. government. The standards include basic requirements like ensuring that devices are patchable, are free of known security vulnerabilities, and don’t include hard-coded passwords. It also encourages security research and information sharing. While the requirements apply only to devices bought by the federal government, it is hoped (not unreasonably) that the standard would percolate out to the general consumer market.
“Information is a form of currency,” said Sen. Daines. “We need to have proper safeguards in place to ensure that our information is protected.”