KRACK IoT: How the Latest Widespread Wifi WPA2 Vulnerability is Affecting the Internet of Things
A wifi encryption vulnerability has sent the entire tech industry scrambling; leaving a vast majority of wifi devices and networks from many vendors are vulnerable to eavesdropping, traffic manipulation, and packet injection by attackers.
The vulnerability – KRACK – is caused by a flaw in the four-way handshake used in wifi’s WPA2 security. This allows devices to be exploited by an attacker in the wild, causing them to reuse nonces and, as a result, undermine the encryption and privacy altogether.
If you’re wondering if your home network is vulnerable, it is. If you’re wondering if your phone and computer are also vulnerable, they are. Devices affected also include many connected to the Internet of Things in both industrial and home settings.
Some vendors, having been briefed before the public release of KRACK’s details, met Monday’s announcement already having patches available – but those need to actually be applied to devices. Many vendors, and many more devices that either have not yet been updated or are difficult to update, remain vulnerable to KRACK.
We can not state enough how vital it is to patch your devices.
The impacts include, but are not limited to, the following:
- Compromising privacy by intercepting sensitive information where sufficient extra layers of encryption are not used (this is, unfortunately, common in resource-constrained IoT devices)
- Compromising security by attacking and breaking into devices on affected networks
- Impersonation and unauthorized access to industrial/other control systems
- Compromising connected access control and security systems
- Thwarting IP-based access control, such as is commonly used in firewalling
- Infiltrating site-to-site VPNs
- DNS spoofing (since secure DNS is almost non-existent), and related potential compromise of TLS/HTTPS encryption where proper validation is not in use (this is, unfortunately, common in resource-constrained IoT devices)
The potential long-term damages in IoT associated with a successful attack include permanently breaking trust models (requiring firmware changes or device replacement), compromise of credentials and any associated damages that result, and even identity theft or theft of sensitive private information.
What Types of Devices are Affected
- Various types of embedded microcontroller devices (e.g. Espressif)
- Embedded Linux/other OS devices (e.g. Raspbian)
- Mobile phones
- Personal computers
- Most wireless network access points, bridges, and routers
What To Do Next
There’s good news and bad news.
The good news is you don’t have to wait for a new security standard (e.g. WPA3) to come out and be adopted. The other good news is that fixes exist for many devices and modules.
The bad news is that, for IoT, updating devices is often non-automatic, difficult, or impossible. For example, fixing a device that makes use of an affected, e.g., Espressif module not only requires patches released by Espressif, but your device’s firmware needs a patch developed by its manufacturer that applies the module’s patch. Furthermore, unfortunately, many IoT devices do not support user-serviceable upgrading, are not actively supported, or users simply do not know how to upgrade them.
And according to HD Moore, a network security researcher at Atredis Partners, for IoT the end definitely isn’t near.
“We’re probably still going to find vulnerable devices 20 years from now,” he said in a recent Wired piece.
Thankfully there are things you can do.
- Power down all devices that have not yet been patched
- Coordinate with each device vendor to patch devices that are able to be patched
- Patch all wireless access points, bridges, and routers
- Replace wireless (wifi) connections with either wired connections or private networks over an IoT cellular connection to reduce the attack surface of your devices and networks
- Place (all) devices on separate, restricted subnets/networks/VLANs and place devices (which must use wifi) on dedicated wireless networks; then, enforce different access controls per subnet (e.g. so your HVAC controls can’t access your SAN)
- Replace all devices that cannot otherwise be patched
Module and Vendor Responses
Hologram users rejoice – no hardware or software produced by Hologram was or is vulnerable to the KRACK Attack. Other vendors, however, aren’t so lucky.
Raspberry Pi announced Pis were vulnerable until the patched versions of the Debian packages were available for Raspbian. Thankfully the company released a patch available in the public Raspbian repo.
Espressif discovered several critical key-management vulnerabilities and has released a patch. They also encourage all Espressif chipset users to upgrade their systems as soon as possible
A comprehensive list of affected vendors can be found here.