The seriousness of KRACK and the threat posed by Wi-Fi vulnerabilities to IoT-enabled devices should not be underestimated, say experts.
This week, the headlines have been full of KRACK, ever since security researchers revealed on Monday the existence of several major security vulnerabilities that could be exploited to steal sensitive information from devices connected to a wireless network.
These exploits are known as Key Reinstallation Attacks – hence the term KRACK – and they affect the WPA2 protocol that is the current industry standard for encrypting traffic on Wi-Fi networks. In other words, a skilled hacker could intercept and manipulate the traffic flowing between a connected device and the web.
The only good news in this whole mess seems to be that the attacker needs some physical proximity to the device itself in order to succeed in this kind of attack. At the very least, that vastly reduces the possibility that KRACK could be used to create botnets.
A serious problem
But the seriousness of KRACK when it comes to the IoT should not be underestimated. As cyber security expert Professor Alan Woodward of the University of Surrey told the BBC: “This is a flaw in the standard, so potentially there is a high risk to every single Wi-Fi connect out there, corporate and domestic.”
Basically, he added, KRACK will leave the majority of Wi-Fi connections at risk until vendors of routers can issue patches.
Meanwhile, at digital assistance services company Iron Group, chief technology officer Alex Hudson wasn’t pulling any punches when he wrote in a blog post:
“It’s clear to me that ‘Internet of Things’ type devices will be the hardest hit. Devices with embedded Wi-Fi for secondary functional purposes, like TVs and baby monitors, are unlikely to get proper updates. As a protocol problem, it’s possible we will be forced to choose between security and functionality, and many users will choose the latter – it’s a difficult problem to weigh.”
Extent of the fallout
For now, the extent of the KRACK fallout remains to be seen. The only way to fully mitigate these vulnerabilities is to wait for device manufacturers to release software patches and then install those as soon as possible.
While smartphones and the like will likely get patched pretty quickly, some IoT devices may never get fixed. Speaking to Wired, HD Moore, a network security researcher at Atredis Partners, said: “We’re probably still going to find vulnerable devices 20 years from now.”
What is clear, however, is that IoT devices, where configured correctly by the manufacturer, will encrypt any sensitive data that they transmit – so while KRACK might be used to potentially compromise an unpatched IoT device, it could only intercept information that remains unencrypted.
Either way, this should be a big wake-up call to the makers of IoT devices because, as we know, many still fail to configure devices correctly before shipping them out to market. For now, there is more information on KRACK available at this microsite, set up by Mathy Vanhoef of KU Leuven, one of the security researchers who first discovered the problem.
Read more: Rambus: Closing the door on IoT hackers