KRACK Looms Over Wi-Fi's WPA2 Encryption - Android and Linux More Susceptible Targets - P2

This is the second of a two-part insight regarding a brand new spectrum of WPA2 (Wi-Fi Protected Access) encryption vulnerabilities. The acronym KRACK (Key Reinstallation AttaCKs) was used to collectively describe these recent Wi-Fi weaknesses. The previous insight examined the type of vulnerabilities, the method of attack, a simple way that end-users can detect any suspicious activity, and a breakdown of all Wi-Fi connected device shipments for 2017 (estimated at 2.8 billion) which might be vulnerable to this or other replay attacks and manipulation or copying of encryption keys.

With Android and Linux devices being the more susceptible OSs andpersonal devices and home networks being among the more prominent targets, it seems that as of now, the best way for users to protect their devices is to switch to a WPA2 + AES combo encryption in their connection settings. That said, it will be unlikely that the KRACK vulnerabilities will run rampant across the digital landscape for much longer because technology companies have already started rolling out some quick-fixes. There have not been any reports which suggest any major issues on Windows or Apple but Microsoft has already released a patch for devices running all OS versions from Windows 8 onward, while Android and Linux are planning to deliver a fix within the next few days.

The main headline is not that KRACK will essentially compromise and wipe out a large portion of Wi-Fi connected devices – far from it. The digital security industry has survived much worse disasters which dealt with compromised systems in nuclear reactors, not encryption processes in smartphones. However, what the KRACK vulnerabilities should teach the consumer electronics tech players is that security holes always exist among the most dominant protocols, and that by the time they are uncovered there’s no telling who might have been eavesdropping. If there’s one thing that Snowden taught the industry is that we should never assume we are protected – no matter who provides the protection.

Wi-Fi, as one of the leading communication protocols worldwide, belongs to the IEEE 802.11x network standards. WPA along with its upgraded protocol WPA2 (which is also recommended as the default for home networks) are the leading encryption protocols for Wi-Fi since 2003 after taking over from WEP (Wired Equivalent Privacy) which was created in the era of wired-only enabled internet access. Both protocol WPA and WPA2 are primarily used with AES (Advanced Encryption Standard) 256-bit encryption – a considerable upgrade from the previous 64 and 128-bit WEP protocol.

This means that WPA (although altered and updated) has endured for more than a decade and continues to be quite prevalent even now – during the dawn of the IoT – where almost every device is developed to find its way to HTTP one way or another. That said, it would not be entirely pessimistic to expect this turn of events where large-scale vulnerabilities are found even now. Wi-Fi is quite a heavy, burdensome protocol compared to some of lighter alternatives (e.g. ZigBee, Z-Wave), a feature which is required to enable connection to such a wide and data-hungry spectrum of devices. Further, the more prominent and widely-used a protocol is, the more likely it is to attract the attention of fraudsters and cyber-attackers.

Moving forward, we will expect to see more pressure being forced on all major IoT communication and encryption protocols. Unfortunately, it isn’t going to be a smooth ride and there will not always be enough time to prepare (like the KRACK attacks). More often than not the industry will be forced to just weather the IoT storm. It would be re-assuring though, to see more steps being taken from leading tech companies who will be forced to deal with more protection in consumer devices. That is, of course, if the FBI withdraws its current desire to install backdoors in leading operating systems.