Opinion: KRACK makes it clear who is and who isn't ready for the next big cyber security crisis
- 19 October, 2017 16:40
If there’s any solace to be found in this week’s widespread concern over Wi-Fi vulnerability, KRACK, it’s that the outbreak has given both vendors and consumers some valuable insights into who is, and who isn’t, prepared for The Next Big Cyber Security Scare.
If you somehow missed all the news about KRACK this week, here’s a good summary.
As far as worst-case cybersecurity scenarios go, KRACK is as far-reaching as these things come. Everything uses WPA2: smartphones, smartwatches, laptops, desktops, tablets, eReaders, networked speakers, cameras, smart TVs and more. Odds are, if something has been branded as “smart”, it probably uses WPA2 authentication - which means it's now potentially-compromised.
Utilising the vulnerability, attackers can bypass ordinary Wi-Fi encryption and steal everything from credit card numbers to passwords to emails to photos and chat messages. The “potentially” here refers to the one of the few real silver-linings attached to KRACK: the fact that attackers do have to be within more-or-less physical proximity to your devices if they want to take advantage of the vulnerability does alleviate at-least a little bit of KRACK’s inherent scariness.
A somewhat similar vulnerability saw vendors and consumers abandon the WEP authentication standard in droves back in 2007. Fortunately, fixes for the KRACK vulnerabilities can be implemented in a backwards-compatible way. This time, they’re planning to stick it out. For some customers, updated cybersafety is just a patch away.
Of course, the act of distributing those patches is a process that’s fraught on both sides. Not only all vendors are born equal when it comes to the frequency and the longevity of supporting their smart products via security updates, consumers can’t necessarily be relied upon to proactively seek out those updates.
We’re not just talking about the technology illiterate here either. Ubuntu ran a survey on user security last year and found that just 31% of consumers that own connected devices performed security updates as soon as they become available while 40% never consciously installed the said updates. Even for the most IT-savvy, taking control of the security on each and every device you own is a big ask - even if it is a necessary one.
Some security researchers have estimated that between 30% and 50% of devices will likely never be properly patched against the KRACK vulnerability. That’s a chillingly high, yet entirely believable, figure. Sure, the IT professionals and networking enterprises of the world are absolutely going to rush to inoculate themselves against KRACK - but what about everyone else? How many cafe-owners who offer free Wi-Fi to customers are going to go and manually patch their router?
KRACK turns the ubiquity of Wi-Fi against the user to terrifying effect. There are simply too many devices out in the wild that use the KRACK-vulnerable WPA2 to keep track of, let alone effectively update.
Which isn’t to say that vendors aren’t trying. As has been reported earlier this week, Microsoft was pretty much the first one on their feet when it came to tackling KRACK. When news of the vulnerability broke, they announced they’d already released a fix as part of October 10th’s “Patch Tuesday”.
Apple were similarly quick, announcing that a hotfix for iOS, macOS, watchOS and tvOS is in the works but won’t be rolled out for a few weeks. Likewise, Google say they’ve got a patch for both Android OS - which is specifically more vulnerable to the KRACK exploit than other platforms - and their other wirelessly-enabled devices. However, again, they say it won’t be pushed out for another few weeks.
Samsung, Amazon and others are all taking a similar stance and towing more or less the same line to the media and wider public. "We are in the process of reviewing which of our devices may contain this vulnerability and will be issuing patches where needed," they almost-universally said. Minus any inside knowledge into the internal workings of each of these companies, it’s difficult to say whether or not the timelines of these individual responses is adequate. However, it feels fair to say that three weeks sounds like a bitterly long time at the outset.
Especially when some of the vendors responsible for updating the routers - which make up the other half of KRACK’s four handshake-based vulnerability - have been that much faster at inoculating themselves.
Netgear have already rolled out fixes for several of their more popular devices and indicate that they will comb through their catalog in the coming weeks. Cisco and Synology have also acted swiftly to address the exploit.
Linksys and Belkin, meanwhile, have been a little slower. Earlier in the week, they said that “their security teams are verifying details and we will advise accordingly” but still appear to have not yet issued a hotfix against the vulnerability.
Going forward from this week’s “KRACK Attack”, it’s easy to imagine that security features will become more than a box-checking inclusion for consumer products. The Wi-Fi Alliance, the nonprofit agency that certifies products for Wi-Fi security, has announced that it will start testing for the vulnerability.
In the future, it’s possible that more vendors will follow in Microsoft and Netgear’s footsteps,taking a more proactive approach to cybersecurity that reduces the reliance on the user. Future smart devices might ask users upon setup how much control over software and security updates they want - giving them the option to surrender a degree of control and enable updates to be pushed with greater frequency.
It’s easy to imagine a world where the discovery of KRACK came with more immediate or even-cataclysmic outcome. It’s much harder to imagine a world where the aftermath of the vulnerability won’t loom large for the decades that follow its discovery.