A vulnerability in Wi-Fi encryption has sent the entire tech industry scrambling; the so-called Krack attack affects nearly every wireless device to some extent, leaving them subject to hijacked internet connections. In terms of scope, it doesn’t get much worse—especially for the Internet of Things.
The extent of the Krack fallout remains to be seen. Security analysts say it’s a tricky vulnerability to take advantage of, and major platforms like iOS, macOS, and Windows are either unaffected or have already been patched. But given the millions of routers and other IoT devices that will likely never see a fix, the true cost of Krack could play out for years.
“For the general sphere of IoT devices, like security cameras, we’re not just underwater,” says Kevin Fu, a computer scientist at the University of Michigan who focuses on medical device security. “We’re under quicksand under water.”
Krack exposes just how deeply those problems run—and how slowly the industry has moved to fix them.
Catastrophe
Whatever advice you may have heard for dealing with Krack, only one actually has tangible benefit: Patch your devices. (You can find a running list of companies that have provided one here.)
If you have an iPhone, Mac, or Windows computer, you really should patch right now. If you have an Android device, an update’s in the offing, though it may take some time to reach you if you have anything but a Pixel or Nexus. But after that, you’re all set! Those are in good shape.
But your router? Your security camera? Your internet-connected garage door? Get comfy.
“We’re probably still going to find vulnerable devices 20 years from now,” says HD Moore, a network security researcher at Atredis Partners.
That’s because even under the best of circumstances, IoT devices rarely receive the necessary software updates to correct security issues. For a problem as complex as Krack, which impacts the industry at a protocol level and requires a coordinated effort to fix, in many cases your best bet is just to buy new equipment once patched options are on the market.
The challenges also go beyond the mere availability of a patch. Take Netgear. To its credit, the company made fixes available for a dozen of its router models the day that Krack went public. But it makes over 1200 products, each of which needs to be tested for specific Krack impact. In many cases, Netgear also can’t make those fixes alone; it needs its chipset partners to tackle the issue as well.
