The Internet Of Things Just Got Even More Unsafe To Use – Forbes
You’ve probably heard this one before. A scientist grows abnormally obsessive about his research. He is in over his head. He is fiddling with powers way beyond his own physical or intellectual capability. The next thing you know, an apocalypse is nigh. If you were to really think about it now, that’s pretty much the case with the internet of things today. We have in our hands a technology with unlimited potential, a technology that can actually allow the myriad devices connected within our network to talk to each other and even exchange information on how to serve you in the best way possible. It’s marvelous. It’s breathtaking. But it also comes at a huge cost to your personal security.
The internet of things is as though a many-headed snake. There are just so many different parties involved here, so many users, so many service providers, so many different companies manufacturing these smart devices that we can’t seem to get over. The decentralized outlook is what makes this technology so awesome, but it also makes it highly difficult to tame. When a software catches a bug, the developer issues a patch. But what do you do when the very technology that runs the entire network on which your home system is based is subjected to a glaring flaw. That’s pretty much what happened here.
“The KRACK vulnerability allows malicious actors to access a WiFi network without the password or key, observe what connected devices are doing, modify the traffic amongst them, and tamper with the responses the network’s users receive. Everyone and anything using WiFi is at risk. Computers, phones, tablets, gadgets, things. All of it. This isn’t just a flaw in the way vendors have implemented WiFi. No. It’s a bug in the specification itself.” – John Romkey, Founder of FTP Software
Mathy Vanhoef, Security Researcher at KU Leuven, made headlines last week with a blog where he described this strange new vulnerability that had the potential to affect every device that has ever been on a wi-fi network all at once. The vulnerability, dubbed KRACK or Key Reinstallation Attack, has a simple way of functioning. WPA2-PSK, the most widely used security protocol used to secure devices and routers connected to a wi-fi network, had a glaring flaw. This flaw, which allows a third-party hacker to trick their way into a device as it connects to a wi-fi network using a password, allows said hacker to access and modify all information available to this device without even being on the network. By interfering with the authorization process that allows a device to connect to a closed wi-fi network, the hacker can do things such as intercept traffic, access stored data and even modify information accessed by the device at the time. So this hacker could tell which websites you like to visit, play that video from your friend’s wedding last month or even infect your device with an unknown malware to cause further damage. Just to be clear, this vulnerability affects any and all devices that can connect to wi-fi networks, regardless of which software it is running.
Thankfully, for most users, software developers around the world have already come up with their own patches that prevent hackers from exploiting this vulnerability to gain access to your device as it connects to a network. Most unfortunate are the many users of the internet of things, which includes pretty much anyone who has ever owned a smart home or drove a smart car, who may not receive these patches until it’s too late.
“The KRACK vulnerability presents itself as a serious threat, especially to end users who own internet of things technology in their homes. While enterprises can secure users with such services as mobile VPN, SD-WAN, and IPS, most IOT devices lack the muscle to run a mobile VPN and consumers don’t generally run SD-WAN or IPSes in their homes.” – Shlomo Kramer, CEO and Co-Founder of Cato Networks
If you own a smart home, chances are that you have already plugged in a variety of smart devices to your wi-fi network to help make your daily life more convenient. The problem with this, however, is the fact that each of these devices comes from a different hardware and software provider, many of whom may have already gone out of business, making it incredibly difficult to get your hands on a proper patch. If you’re concerned about whether your smart home device has already issued a patch, check out this list where one of my colleagues has done a great job of noting down all of the companies that have already issued patches to this vulnerability.
Halloween is here now. Not the one with the carved pumpkins and silly dresses and colored candies. The real Halloween. The one where evil lurks beneath the eye and seeks to devour those that aren’t fit to survive. Nothing is safe. It’s time to secure your home network. Get rid of all unwanted devices and download every damn patch your software provider has released. As they always say, prevention is better than cure.