The KRACK attack: Have we seen the full extent?

null

The KRACK attack which affected the majority of the WiFi systems across the globe caused panic as individuals, businesses and their providers discovered a security flaw left their privacy vulnerable to a growing group of 21st century criminals - hackers.  

Fortunately, before we all had time to digest (or for many, even try to understand) the magnitude of the breach, many suppliers had rushed out updates and patches to counter the issue, stopping the attack in its tracks with no real harm done.  

But is that actually the case? Can we consign the KRACK attack to the past and just chalk it up as experience? 

Let’s go back to the beginning

Just to recap, the KRACK attack hit the headlines during October 2017 when an issue was identified in the WPA2 (WiFi Protected Access) encryption standard on almost every wireless system on the planet. The event was named after the site krackattacks.com, which specialises in research on key installation attacks, who first published details of the weakness when it was discovered.

The WPA2 security breach highlighted a major flaw that revealed that hundreds of thousands of businesses were not properly equipped to deal with significant security disasters such as this one. The harsh reality of this was that a successful intrusion could provide online criminals with access to personal information and data, including everything from bank details to account passwords. You name it.

To their credit, most tech companies sprung into action before the world could even utter the phrase ‘KRACK attack’, with patches and updates rapidly being rolled out to cover our most popular gadgets, such as Windows and iOS devices. Larger WiFi vendors were also quick off the mark to provide suitable security for its users. But there are still significant gaps. As an example, most access points cannot be updated over the cloud. Home hubs also don’t have the functionality required to correct the exposed weaknesses without the proprietor logging in and applying a firmware patch. And even then, how likely is it that an average user would actually know or understand enough to be able to perform this successfully? 

Where are we now?   

Well, we’re two months on and there are still a huge number of WiFi networks across the globe that remain vulnerable to an online hacker. The WPA2 vulnerability is a tricky one to comprehend. While you may think you are safe because you performed an autoupdate on your phone, or you were one of the few that was able to successfully patch your router at home, the KRACK attack actually affects pretty much every single IoT device on the planet. This means that the WPA2 revelation runs much deeper than many people are actually aware of.  

Think baby monitors, security cameras, the fancy new locking system for your front door, or the gadget that lets you open and close your garage. The list is endless. All of these are IoT and most have no accessible interface, which makes them much more difficult to patch. And until companies know how to successfully secure these kindsof devices, they are likely to remain vulnerable to hackers forever. Without scaremongering too much, this kind of activity could extend to a whole other level of criminal. 

So, what’s next?  

It’s not all doom and gloom, and issues like these should never deter anyone from continuing to use their devices or the internet on a day-to-day basis. While the KRACK will probably never fully go away, there are plenty of things that can be done (and are being done) to try and manage the issue as much as possible.

Companies specialising in the creation of high-tech IoT gadgets have a rather arduous task ahead of them. Those who produce thousands of IoT devices will literally need to review security for all of them, introduce the necessary patch and then inform all of their customers on what they need to do at home to ensure these devices are safe from online intruders. A particular worry is if a wrapper was designed that could attack the same weakness in repeated systems. It may just be a matter of ‘when’ rather than ‘if’ that such an incident occurs.  

But you get what you pay for and companies should be using business grade hardware. Fully integrated WiFi systems are able to push out an autoupdate to make sure users are covered as soon as an issue is identified. But not all businesses have a system that is right for them however and they are particularly vulnerable to inadequacies in their WiFi system being attacked. Those that rely on a home hub should log a ticket with their supplier to find out if they have been covered by updates.  

Looking at the KRACK attack, it’s easy to wonder if perhaps this security meltdown may lead to some long term changes. It’s difficult to ignore the constant stories of cyber attacks across the globe, such as WannaCry, which hit the headlines earlier this year. Perhaps scenarios like these coupled with the arrival of this significant security flaw may encourage law markers to take notice and do something. For example, revising legislation to ensure that companies building IoT devices meet the necessary security requirements will mean that customers across the world can purchase their IoT device safe in the knowledge that it meets the legal security requirements. 

So have we seen the full extent of the KRACK attack?  

The KRACK attack exposed the world to the fact that many of our biggest and brightest tech companies are ill-equipped to deal with security disasters such as this one. The frustrating reality is that many people believed this WPA2 revelation to be a long time coming. Vulnerable devices are everywhere and as we have learned, IoT devices don’t tend to recieve the necessary software updates they need in order to be able to correct security issues.    

So how can we assess the full extent of the KRACK attack? In short, we can’t. We may never be able to.     

Patrick Clover, Founder of BLACKBX 

Image Credit: Alexskopje / Shutterstock