Exploring the ongoing impacts and remedies for the KRACK Wi-Fi vulnerability
It’s been nearly two months since the KRACK Wi-Fi bug was broadcast to the world. The news hit headlines across the globe in October of this year when tech researchers discovered the wide-spread vulnerability that impacted IoT devices of all kinds.
Two months down the road, we’ve decided to check in and ensure that businesses have replaced or patched affected systems and devices. So often, we forget about dangerous vulnerabilities once the headlines fade. But since the KRACK vulnerability was so widespread and impacted internet connections through a variety of IoT devices, it’s critical that businesses stay on their toes and ensure no holes remain.
The Basics: Recapping the KRACK Wi-Fi Vulnerability
As noted, in October 2017, a widespread Wi-Fi flaw was discovered and was dubbed KRACK or Key Reinstallation Attack. KRACK has been described as a security flaw in the WPA2 protocol, which could allow criminals to break the encryption between a router and a given device. Once encryption is broken, criminals are able to intercept and interfere with network traffic.
Security vulnerabilities like KRACK can be hard to wrap your head around so here’s a quick breakdown of how KRACK happens:
- Hackers find WPA2-PSK networks that they want to infiltrate and wait for a user to connect. In a modern business world, users connect to Wi-Fi hotspots everywhere – maybe in the office, but often in remote locations like a public park, coffee shop or their parked vehicle.
- As the device works to legitimize the Wi-Fi connection, hackers can quickly interfere and decrypt any traffic being exchanged over Wi-Fi. This means hackers have the power to cause a lot of trouble without being on the network itself. Without an actual connection to the network, hackers take advantage of this vulnerability to intercept, modify or forge data as well as install malicious malware.
- What makes KRACK especially scary is the fact that the security flaw isn’t contained to a specific software program, rather it targets WPA2 Wi-Fi – a widely used protocol that countless business and individuals rely on daily.
Basically, because the vulnerability affects Wi-Fi encryption, it sent the entire tech industry scrambling. The reason is, the so-called KRACK attack affects nearly every wireless device to some extent, leaving them vulnerable to hijacked internet connections. That’s a pretty massive scope – especially in the age of the Internet of Things.
Long Road Ahead: Why Experts Believe Devices Will Be Vulnerable to KRACK for Years
To be honest the full extent of the KRACK fallout remains to be seen. While all the major platforms like iOS, MacOS, and Windows have already been patched, there are millions of routers and other IoT devices that will likely never see a fix. This means the risk factor could linger for years.
This kind of wide-reaching, long-lasting attack exposes just how challenging it is to protect IoT networks – and how much work the industry has to do in terms of expanding security protocols. While your office computer, iPhone, and laptop may be patched, IoT devices are hiding everywhere. Have you patched your router? What about your security cameras? Even automated thermostats and garage doors could be impacted. With so many devices made vulnerable, the challenge to contain the threat efficiently is very difficult.
The reason containment is so hard is because some IoT devices just don’t get the regular software updates they need to correct security issues. Thermostats and security cameras are rarely in mind when a business schedules software updates. In fact, because KRACK is very complex and requires an industry-wide, coordinated effort to fix, many security experts recommend buying new equipment once options with built-in patches are on the market.
It’s not that manufacturers aren’t trying. Netgear – a leading provider of routers – released numerous patches for its router models the very day that KRACK went public. The problem is that manufacturers like Netgear produce thousands of different product models – all of which need to be independently tested for KRACK impact. This is a huge job and one that makes it difficult to say the problem is totally taken care of.
Double Check: Even if You Think Your Patched, Give Every Device a Second Thought
While it may seem like an insurmountable problem, there is one key thing that business owners can do to ensure they’ve done all they can. Whatever advice you may have heard for dealing with KRACK, only one solution has a tangible benefit: get your devices patched. If you’re not sure whether a certain device is patched or not, take a look at this running list of companies that have released patches.
If you have an iPhone, Mac, or Android device, and haven’t patched it yet – patch it right now! If you have a variety of IoT devices in your office, create an inventory and research the patching options for each. If there are certain devices with no available fix, it might be worth considering a replacement.
However, before you go throwing out devices, it’s a good idea to reach out to a team of IT professionals. Consulting with a team of experts can help you determine which devices are fixable and which need to be axed to maintain security. Since KRACK made headlines, we’ve been working alongside concerned clients to make sure every last business device is patched. However, we can only help those who reach out with concerns about potentially vulnerable devices.
Has your IT provider helped you patch or replace impacted devices so you’re no longer vulnerable? If you think there are unpatched, vulnerable IoT devices lurking in your office don’t hesitate to give our team of experts a call. As long as you have a rough idea of the devices that might be vulnerable, our team of professionals can work with you to mediate any lingering risk.