On Monday, security researchers revealed the existence of several major security vulnerabilities that could be exploited to steal sensitive information shared by users connected to a wireless network.
The exploits—known as Key Reinstallation Attacks or KRACK —affect Wi-Fi Protected Access 2 (WPA2), a protocol that is the current industry standard for encryption that is used to secure traffic on Wi-Fi networks.
KRACK attacks, which take advantage of a fundamental flaw in the way devices and access points communicate and handle encrypted data, put essentially every Wi-Fi enabled device at risk—though the internet-connected devices that make up the Internet of Things are of particular concern.
While many vendors have already quickly moved to offer up a fix for the vulnerabilities—Microsoft has already issued a patch, Apple addressed the issue in earlier versions of its mobile operating system and Google is already concocting its fix for Android—IoT devices are notoriously slow when it comes to addressing security problems.
“There might be a lot of [Internet of Things] devices that might not receive a patch in the near future,” Candid Wueest, a threat researcher at security firm Symantec, told International Business Times.
“Sometimes they don’t have a patch mechanism, sometimes people don’t know about it. It could be that some of those devices would still be attackable, but it’s debatable on how serious it is if someone can listen in to your radio or your smart TV,” Wueest said.
This has been a long-standing issue for the Internet of Things (IoT), which is made up of everything from internet-connected light bulbs that can be turned on and off remotely to Wi-Fi enabled refrigerators and other appliances to the systems that allow massive enterprise organizations to keep track of its production lines and shipping containers.
IoT is already massive—there are an estimated 8.4 billion connected devices in use, according to Gartner—and will only continue to grow as the technology to allow a device to connect to the internet become cheaper. It is projected there will be nearly 20.5 billion IoT devices in use by 2020.
While that internet connection offers newfound convenience for consumers, allowing them to interact with devices and appliances in new ways, it has also created a massive number of new potential entry points for attackers—most of which go unaddressed.
A report from Hewlett-Packard found that 70 percent of IoT devices contain noteworthy security flaws—on average, about 25 vulnerabilities per device—that have yet to be patched by the manufacturer.
In some cases, there is a low probability that those vulnerabilities will ever be exploited so vendors choose not to address them until absolutely necessary. But the discovery of KRACK highlights a major and potentially crippling problem for the Internet of Things: in many cases, manufacturers don’t even have a protocol for patching devices.
“It’s clear to me that Internet of Things-type devices will be the hardest hit,” Alex Hudson, the chief technology officer at Iron Group, wrote. “Devices with embedded WiFi for secondary functional purposes, like TVs and baby monitors, are unlikely to get proper updates.”
While device manufacturers like Google and Apple and Microsoft must keep their devices up to date to protect users, producers of IoT devices like smart TVs may not have even thought about the possibility that a security patch may one day be necessary and therefore have no option to provide an update to address a vulnerability.
Mark Orlando, chief technology officer for cyber services at cybersecurity firm and United States defense contractor Raytheon, told IBT “speed-to-market has driven most of the development and deployment of wireless devices that make up the IoT,” rather than security. “Updating them to keep up with cyber threats and new vulnerabilities was never part of the equation for many of their developers.”
The result is the devices are affordable and widely accessible, but also incredibly vulnerable to being exploited by malicious actors.
Orlando said for the IoT to continue, it requires “active maintenance rather than deploying and forgetting about any device.” He suggested bringing transparency to the standards and protocols that govern how internet-connected devices work, allowing developers to better understand the devices and where risks may reside.
He also suggested businesses to look closely at how any wireless devices may operate before adding them to their supply chain, including performing vulnerability assessments and ensuring the devices adhere to best security practices to mitigate potential risks.
That advice may work going forward for organizations who know to provide scrutiny to the security of devices, but it likely provides little respite for those who have already invited a litany of IoT devices into their home or business operations.
There are undoubtedly millions of devices already available that will never receive a patch to protect against KRACK attacks—and millions more that may have a patch available that will never be installed. Since many IoT devices that do receive patches require users to manually check for and install the fixes, the patches never get applied.
“As a protocol problem, it’s possible we will be forced to choose between security and functionality, and many users will choose the latter—it’s a difficult problem to weigh,” Hudson wrote.
There is some good news when it comes to the KRACK attack in particular. First, the vulnerabilities have yet to actually be exploited in the wild. Researchers were able to complete a proof of concept attack but no one has been directly compromised from the exploits yet.
Additionally, KRACK requires a threat actor to be close to the victim they are attempting to compromise. The attack has to take place within the wireless range of a device or access point, which means about 30 feet or so. This greatly limits the potential for a widespread attack—though does leave the possibility for targeted attacks.
It’s also worth noting that IoT devices, if configured correctly by the manufacturer (which is not a guarantee), will encrypt any sensitive data that it transmits. KRACK can be used to potentially compromise an unpatched IoT device but can only intercept information that is unencrypted.
That said, KRACK needs to serve as a wake up call to makers of internet-connected device. The way wireless devices communicate was discovered to be flawed and many parts of the IoT have no mechanism to defend against the threat. The next flaw to be discovered may not be so limited in its attack radius, and device manufacturers will need to have a way to react.
“The future viability of the Internet of Things will be determined by how seriously industry takes issues like this,” Raytheon’s Orlando said.