On Monday, the security community scrambled to unpack Krack, a fundamental vulnerability in the ubiquitous, secure Wi-Fi network standard known a WPA2. Though some of the most popular devices are mercifully already protected (like most of those that run Windows and iOS), a staggering population remains exposed to data theft and manipulation every time they connect to WPA2 Wi-Fi. But as another interminable patching process begins, a different conversation is picking up, too, about how to catch flaws in crucial standards more quickly, and make it easier to patch them.
No software is perfect. Bugs are inevitable now and then. But experts say that software standards that impact millions of devices are too often developed behind closed doors, making it difficult for the broader security community to assess potential flaws and vulnerabilities early on. They can lack full documentation even months or years after their release.
“If there is one thing to learn from this, it’s that standards can’t be closed off from security researchers,” says Robert Graham, an analyst for the cybersecurity firm Erratasec. “The bug here is actually pretty easy to prevent, and pretty obvious. It’s the fact that security researchers couldn’t get their hands on the standards that meant that it was able to hide.”
The WPA2 protocol was developed by the Wi-Fi Alliance and the Institute of Electrical and Electronics Engineers (IEEE), which acts as a standards body for numerous technical industries, including wireless security. But unlike, say, Transport Layer Security, the popular cryptographic protocol used in web encryption, WPA2 doesn’t make its specifications widely available. IEEE wireless security standards carry a retail cost of hundreds of dollars to access, and costs to review multiple interoperable standards can quickly add up to thousands of dollars.
‘If there is one thing to learn from this, it’s that standards can’t be closed off from security researchers.’
Robert Graham, Erratasec
“There are quite a few other IEEE standards that shared the same fate as WPA2, from vehicular communications to healthcare IT, which are only available in a timely fashion for significant sums,” says Emin Gun Sirer, a distributed systems and cryptography researcher at Cornell University. “There’s an academic program, but it only makes standards available to academics six months after they have been published, which is far after they have been implemented and buried deep within devices.”
Even open standards like TLS experience major, damaging bugs at times. Open standards have broad community oversight, but don’t have the funding for deep, robust maintenance and vetting; researchers argue that you need both to catch the kind of ubiquitous bugs that can plague standards. And if open protocols still have frequent bugs even with crowdsourced vetting, more closed software logically runs runs a higher risk of oversights.
“Even TLS has been coughing up bugs through 2016, and that’s a 20-year old-protocol that’s had hundreds of people looking at it,” says Matthew Green, a crypotgrapher at Johns Hopkins University, who analyzed the WPA2 vulnerability. “IEEE working groups are a closed industry process.”
Researchers note that standards development processes are unwieldy and time-consuming, which can make working groups inflexible and unwilling to evolve once they’ve put significant effort into a certain approach. “I’ve seen this over and over,” Matt Blaze, a security researcher at the University of Pennsylvania, wrote on Twitter on Tuesday. “Eventually, the most talented people stop showing up to the meetings and no one feels empowered to restart from scratch. Sunk cost fallacy. The people involved aren’t dumb, and they’re working hard to do a good job. But the process is effectively rigged to produce crap like this.”
And since it’s difficult to access the documentation for many wireless security standards produced in these closed-door processes, researchers naturally turn their bug-hunting focus elsewhere. Johns Hopkins’ Green notes that the researcher at Belgian university KU Leuven who found the WPA2 bug, Mathy Vanhoef, is one of only a few people working in the area. “Given the small number of people paying attention, it’s a lot of bugs,” Green says.
It’s possible to strike a better balance, but the process can take time. The Internet Engineering Task Force, for example, which works on internet infrastructure protocols, attempts to integrate speed and accuracy with a relatively open process. And even industries known for their rigidity can take small steps to opening up. “Historically, telephony standards were huge violators of open access, but the formation of 3gpss (responsible for LTE), an international organization that is more open, improved the situation a bit,” Cornell’s Sirer says.
Researchers hope that the debacle with WPA2 will help make the urgent need for openness more obvious and pressing. But as with any transparency drive, the initiative may be met with resistance. The IEEE has not yet returned WIRED’s request for comment.
“Robust security research that pre-emptively identifies potential vulnerabilities is critical to maintaining strong protections,” the Wi-Fi alliance said in a statement on Monday about Vanhoef’s WPA2 vulnerability discovery.
Thirteen years after the standard entered wide use, though, it’s hard to see the revelation as “preemptive.”