On Monday, the security community scrambled to unpack Krack, a fundamental vulnerability in the ubiquitous, secure Wi-Fi network standard known a WPA2.
Though some of the most popular devices are mercifully already protected (like most of those that run Windows and iOS), a staggering population remains exposed to data theft and manipulation every time they connect to WPA2 Wi-Fi. But as another interminable patching process begins, a different conversation is picking up, too, about how to catch flaws in crucial standards more quickly, and make it easier to patch them.
No software is perfect. Bugs are inevitable now and then. But experts say that software standards that impact millions of devices are too often developed behind closed doors, making it difficult for the broader security community to assess potential flaws and vulnerabilities early on. They can lack full documentation even months or years after their release.
“If there is one thing to learn from this, it’s that standards can’t be closed off from security researchers,” says Robert Graham, an analyst for the cybersecurity firm Erratasec. “The bug here is actually pretty easy to prevent, and pretty obvious. It’s the fact that security researchers couldn’t get their hands on the standards that meant that it was able to hide.”
The WPA2 protocol was developed by the Wi-Fi Alliance and the Institute of Electrical and Electronics Engineers (IEEE), which acts as a standards body for numerous technical industries, including wireless security. But unlike, say, Transport Layer Security, the popular cryptographic protocol used in web encryption, WPA2 doesn’t make its specifications widely available. IEEE wireless security standards carry a retail cost of hundreds of dollars to access, and costs to review multiple interoperable standards can quickly add up to thousands of dollars.
“There are quite a few other IEEE standards that shared the same fate as WPA2, from vehicular communications to healthcare IT, which are only available in a timely fashion for significant sums,” says Emin Gun Sirer, a distributed systems and cryptography researcher at Cornell University. “There’s an academic program, but it only makes standards available to academics six months after they have been published, which is far after they have been implemented and buried deep within devices.”
Even open standards like TLS experience major, damaging bugs at times. Open standards have broad community oversight, but don’t have the funding for deep, robust maintenance and vetting; researchers argue that you need both to catch the kind of ubiquitous bugs that can plague standards. And if open protocols still have frequent bugs even with crowdsourced vetting, more closed software logically runs runs a higher risk of oversights.