A vulnerability in Wi-Fi encryption has sent the entire tech industry scrambling; the so-called Krack attack affects nearly every wireless device to some extent, leaving them subject to hijacked internet connections. In terms of scope, it doesn’t get much worse—especially for the Internet of Things.
The extent of the Krack fallout remains to be seen. Security analysts say it’s a tricky vulnerability to take advantage of, and major platforms like iOS, macOS, and Windows are either unaffected or have already been patched. But given the millions of routers and other IoT devices that will likely never see a fix, the true cost of Krack could play out for years.
“For the general sphere of IoT devices, like security cameras, we’re not just underwater,” says Kevin Fu, a computer scientist at the University of Michigan who focuses on medical device security. “We’re under quicksand under water.”
Krack exposes just how deeply those problems run—and how slowly the industry has moved to fix them.
Whatever advice you may have heard for dealing with Krack, only one actually has tangible benefit: Patch your devices. (You can find a running list of companies that have provided one here.)
If you have an iPhone, Mac, or Windows computer, you really should patch right now. If you have an Android device, an update’s in the offing, though it may take some time to reach you if you have anything but a Pixel or Nexus. But after that, you’re all set! Those are in good shape.
‘We’re not just underwater. We’re under quicksand under water.’
Prof. Kevin Fu, University of Michigan
But your router? Your security camera? Your internet-connected garage door? Get comfy.
“We’re probably still going to find vulnerable devices 20 years from now,” says HD Moore, a network security researcher at Atredis Partners.
That’s because even under the best of circumstances, IoT devices rarely receive the necessary software updates to correct security issues. For a problem as complex as Krack, which impacts the industry at a protocol level and requires a coordinated effort to fix, in many cases your best bet is just to buy new equipment once patched options are on the market.
The challenges also go beyond the mere availability of a patch. Take Netgear. To its credit, the company made fixes available for a dozen of its router models the day that Krack went public. But it makes over 1200 products, each of which needs to be tested for specific Krack impact. In many cases, Netgear also can’t make those fixes alone; it needs its chipset partners to tackle the issue as well.
And when those patches do become available, the company has limited ways to inform customers they need to update as soon as possible. It sends emails to those who register their products, and sends out an advisory, and posts in community forums. The remainder of Netgear customers—the bulk of them—will have to read a news report like this one, and hunt down the right download link to install the fix. And even if they do that, the actual patching process requires logging into Netgear’s access point web-management interface from your computer, which may rightly baffle a number of router owners.
“I wouldn’t claim that anyone can just do it,” says Netgear CIO Tejas Shah. “We recognize the need to educate the customer and help the customer when they’re faced with this problem.”
Those issues aren’t unique to Netgear, which, again, gets a star for making patches immediately available. But they do underscore just how ill-prepared wireless devices are for this kind of industry-wide calamity.
And that’s just routers, which people by and large are at least aware connect to the internet. IoT devices are a whole extra level of opaque.
“Users aren’t even going to realize that they have a Wi-Fi IoT device. The refrigerator could be one of those,” says Bob Rudis, chief data scientist at security company Rapid7. “The fridge is probably not going to get patches on its own.”
A connected refrigerator may sound like a silly example, but they do exist, as do connected windows and sprinkler systems and pretty much everything else. These often have no easily accessible interface, making applying patches difficult, even if they somehow do exist. And Rudis says that while a hacked appliance won’t cough up your browsing history or contact lists to a hacker, vulnerable IoT devices present a different kind of threat.
“It’s not just confidentiality. It’s the integrity. If someone does manage to successfully do this attack and targets your IoT devices, they could take advantage of the vulnerability and open your garage, or unlock your door,” says Rudis.
And until or unless you upgrade those (needless to say, expensive) connected devices, chances are they’ll remain exposed for decades.
That feeling that’s sinking in is hopelessness. The problems with IoT security run both so broadly and so deep, and Krack exposes them so fully, that giving up altogether feels about right.
It doesn’t have to, though. There has, in recent months and years, been some movement toward fixing IoT security, or at least making it less comically inept.
Go back to routers for a minute. If you have an older model, you’re almost certainly out of luck—in fact, if you go back far enough, it may not even support WPA2 in the first place. But a glimmer of hope has appeared in a new generation of mesh-network routers, devices that come with an app for easy interface access, and that, crucially, offer auto-update abilities.
That means that when a Krack does happen, the company can both alert users immediately to the issue, and push out a fix without an owner having to raise a finger, much less navigate an access point web management GUI.
Take Eero, one of the original mesh network companies. It had automatically pushed out a fix to its beta customers within hours of the Krack news. After thorough testing—to ensure that the cure doesn’t have unexpected side effects—it’ll send its Krack patch out to all of its users at once.
“Our system was designed for scenarios like this from the ground up,” says Eero CEO Nick Weaver. “If we need to push an update to 100 percent of our Eeros, we can do that almost instantaneously. That’s one of the core features of our product.”
‘If a car manufacturer has a fundamental flaw in a car, it doesn’t matter how long that flaw has been there. Once it’s been identified, they have to do a recall, they have to fix it or replace it.’
Bob Rudis, Rapid7
Autoupdates have their own issues. In August, a smart-lock company called Lockstate unintentionally bricked one of its products by pushing a buggy software. Some customers had to send their locks back to the company for a “reset” before they were able to secure their doors again. Not ideal. Hackers have also used autoupdates to push malware on a large scale, as the NotPetya malware that plagued the Ukraine—and several large multinational corporations—did this summer.
Still, in the ever-present risk calculation between convenience and security, IoT autoupdates seem like a net good, especially with a thorough beta process in place to squash any bugs before they go wide.
“In general, autoupdate is more beneficial than not,” says Moore, “assuming it’s done right.”
Netgear, too, has embraced that model on its higher-end Orbi mesh network system. Shah says the company plans to “enable as many products as possible to autoupdate.” That doesn’t help, though, any of Krack-afflicted routers already on the market.
Slow improvement has come from other quarters as well. The price of entry into a smart-home ecosystem like Apple’s HomeKit includes meeting certain security requirements; as the IoT industry continues to coalesce around those platforms, they’ll have to demonstrate at least a base competence in keeping their devices safe, and an interest in maintaining that integrity.
And failing that, the specter of regulation looms. Senator Mark Warner of Virginia introduced a bill in August that would mandate certain security minimums for smart devices. While it hasn’t seen much traction yet, highly publicized security meltdowns like Krack could pressure other lawmakers to take notice.
“Vulnerability in WPA2 highlights the impact of vulnerabilities in widely-adopted components and protocols, and illustrates the importance of adopting basic hygiene requirements for the rapidly proliferating Internet of Things,” Warner said in a statement to WIRED.
Those measures could help some, but experts remain skeptical that they go far enough.
“I suspect at the end of the day there will be some kind of regulatory, or at least policy-based methods to incentivize baseline cybersecurity hygiene,” says Fu, who has testified before Congress on IoT security issues. “The sad news is, it’s so far below the bar. It’s like handing out Kleenex when you’ve got Ebola.”
Rapid7’s Rudis suggests borrowing from another industry’s existing framework.
“If a car manufacturer has a fundamental flaw in a car, it doesn’t matter how long that flaw has been there. Once it’s been identified, they have to do a recall, they have to fix it or replace it,” Rudis says.
A similar enough system does, in fact, apply for connected medical devices. Companies need not only to issue recalls but follow through on them, contacting each consumer directly. It seems unlikely, though, to carry over to the broader world of IoT any time soon.
There’s likely no panacea for IoT’s security woes. The best hope probably lies in a combination of companies becoming more agile, more able to fix broken things quickly—and for consumers to see that as an important selling point, to create an economic incentive where currently none exists.
“We need to create these things so that they can fail gracefully, rather than catastrophically,” says Fu.
It doesn’t seem like so much to ask. But a catastrophe like Krack shows just how far IoT has until it gets there.