Security for the Internet of Things (IoT) has suffered a major blow. So has the security for any device that uses Wi-Fi connections.
Security researchers have discovered a serious vulnerability in the protocol for almost every of device that relies on Wi-Fi. As described by the researchers who discovered the flaw:
An attacker within range of a victim can exploit these weaknesses using key reinstallation attacks (KRACKs). Concretely, attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted. This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. The attack works against all modern protected Wi-Fi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites.
The warnings about KRACK first came to light a couple of months ago. According to ZDNet, around the time that Mathy Vanhoef spoke of the problem at Black Hat, U.S. Homeland Security's cyber-emergency unit sent out an alert about it to security experts and manufacturers who develop Wi-Fi-connected devices. That, Dr. Steven Murdoch, Innovation Security Architect, VASCO Data Security, and Principal Research Fellow at University College London, told me in an email comment, gave manufacturers two months to address the bug before today’s public disclosure. That’s good news for new products in development, but bad news for the devices already in use because, Murdoch pointed out, manufacturers often do not fix vulnerabilities in older products, particularly those that aren’t being actively promoted.
What does this mean for the security of the Wi-Fi-connected devices used for your business? Murdoch said:
The vulnerability is serious, but to exploit it the criminal has to be physically near the computer they want to attack. For this reason, the more valuable the network, the more likely it is criminals will make the effort to carry out the attack, so businesses are at a higher risk than average home users.
Bottom line, security is going to fall on the shoulders of IT departments and organizations, as Rich Campagna, CEO with Bitglass, told me in an email comment:
There's no stopping users from connecting to public Wi-Fi hotspots, so it's up to the enterprise to layer on protection mechanisms. This vulnerability speaks to the importance of ensuring that all connections from endpoints leverage strong encryption, such as the latest versions of Transport Layer Security (TLS). Intermediary proxies can ensure that regardless of what the application supports, all connections from end-user devices leverage strong encryption.
It will be interesting to see how this ends up affecting IoT security in the coming months.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba