Researchers at a Belgian University earlier this week revealed the discovery of a break in the security protocol used to protect the vast majority of Wi-Fi connections (WPA2 based). Mathy Vanhoef of imec-DistriNet, KU Leuven University, released his findings explaining that an attacker within range of a victim can exploit these weaknesses using key reinstallation attacks (KRACKs) to read information that was previously assumed to be safely encrypted. This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, and photos.
Vanhoef stressed that “Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites.” Further, The KRACK attack is universal and works against all type of devices connecting to or using a WPA2 WiFi network. This includes Android, Linux, iOS, macOS, Windows, OpenBSD, and embedded and IoT devices. If your device supports Wi-Fi, it is most likely affected.
The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is still likely affected. Consumers are advised to update all their devices once security updates are available.
I spoke to cybersecurity researcher Nadir Izrael, CTO and co-founder of Armis, the company responsible for the discovery of BlueBorne, a set of vulnerabilities that impact any connected device using Bluetooth. Nearly all devices with Bluetooth capabilities, including smartphones, TVs, laptops, watches, smart TVs, and even some automobile audio systems, are vulnerable to this attack. If exploited, the vulnerabilities could enable an attacker to take over devices, spread malware, or establish a “man-in-the-middle” to gain access to critical data and networks without user interaction.
“It’s not shocking to learn Wi-Fi is vulnerable, but it’s still disturbing to see how the technology we all rely on every day can’t be trusted. This is the second time in two months that we’ve seen all connected devices being vulnerable to widespread airborne vulnerabilities; we recently discovered vulnerabilities in Bluetooth and the BlueBorne threat. The difference is that with KRACK we can’t tell people to just turn off Wi-Fi. The majority of all traffic is now wireless. It’s how we connect, communicate, and live.
KRACK shows us we are now living in the new age of exposure. It is a combination of a world of devices that either can’t be updated or cannot have any security software running on them. Since we can’t stop using smartphones, remove all the smart TVs, take away the connected healthcare unit, or remove the quality control sensors from the manufacturing line, we need solutions that will see each device and its activity – and take action on whether that device is behaving properly or inappropriately.”
The challenge to update connected products
While companies are rushing to release security updates and patches (Tech blog Charged offers an ongoing list of firmware patches as they become available) the reality is a little more complex for IoT. As Izrael notes:
“Updating devices has become very complex. Some devices can be updated; in fact, updates are a part of a standard process. Other devices make updates very difficult. The vast majority of these simple connected devices in the home and at work do not allow for easy software updates or security patches. Many lack a decent interface for a consumer or IT professionals to easily access a way to update them. Some have default passwords that may not be known (default passwords that themselves create risks as we have seen with the Mirai attack). Others have simply no way to get an update onto the device.”
Is this proof of vulnerabilities ripe for future attack?
Fortunately, the world as we know it is not going to end for now, but the Izrael notes that KRACK is a proof-of-concept. As patches are now being released, the hope is that it will not be exploited in the wild, but it’s likely that criminals will try. He suggests that for protection, businesses must ensure that all their corporate and employee devices are updated with the latest software and patches. For devices they don’t control or can’t update, businesses need to ensure devices can’t connect to a critical network.
Izrael warns that poor industry focus on security due to connectivity being the first priority has set up an ecosystem ripe for attack: :
“In a world of a glaring lack of security standards across IoT protocols, we see an attack surface that is expanding rapidly, exposing enterprises to attacks they are ill-prepared to defend against. Unfortunately, we know that companies can’t even see 40% of the connected devices in their environment. This is why IoT and all these connected devices are a big security concern. It’s a huge security blind spot for organizations, with serious consequences.”
As researchers scramble to determine the origin of and people responsible for KRACK, it’ll only be a matter of time before the next Wi-Fi (WPA2 specific or not) vulnerability with potential for serious consequences is brought to light.