My five cents on the „krack“ Wi-Fi / WPA2 security issue that is now slowly but steadily getting out of focus again. This is a classic “Internet of Things”, or “Internet of crappy Things” topic that I have written about before.
It is highly questionable if “krack” will ever really disappear; in a sense that it will be patched and fixed thoroughly so that no one has to worry about it anymore. Yes, a variety of providers of affected software and hardware have announced or even distributed such patches. But when it comes to the long tail of Wi-Fi enabled Internet of Things, smart home or whatever kind of connected devices, it would be naïve not to assume that millions of unpatched and vulnerable devices will remain unpatched and without any security fix updates. Among those are for sure older smartphones based on outdated versions of Android that have already in the past made negative impressions with slow or missing update cycles.
IoT and smart home are the real pain points
But the by far biggest danger arises in the IoT and smart home space. Do you really think that providers of cheap Wi-Fi cameras that you usually get in DIY stores will provide you with prompt updates? Or with any updates at all? Of course not. It’s just neither in their mindset nor business model to engage in complex and costly development and distribution processes for security patches. Or how often did you in the past get involved in software update processes for your connected TV or cleaning robot?
So where does this lead us? Smart TVs, connected set-top-boxes, connected white goods, Wi-Fi cameras and the likes will be unpatched back doors into our private networks. And this is not where it stops… corporate networks are just as vulnerable and could provide delicate back doors for intelligence services and cyber criminals. A single unpatched and vulnerable device is enough to expose your entire network to respective attacks.
Be conscious – know what you’re buying
What to do now? My advice: decide very carefully which Wi-Fi or however connected devices should become part of your network. Read the reviews to get a feel for update and patch history of that particular provider of your desired new purchase. If necessary, spend that extra money for a more secure outlook for your network. Still, outside of your own reach of responsibility, we will see the rise of more botnets that are able to carry out even more powerful and vicious DDoS and other attacks on all of us.
Any maybe it isn’t such a bad idea to call write to those providers of your existing affected devices and ask them for patches and updates. If only enough of us do it, maybe a change in thinking and security philosophies will be the eventual result.