November 20, 2017 By Paul Gillin 3 min read

When I began writing about the wireless security lessons learned from the WPA2 vulnerability, I decided to start looking into my own level of exposure. My home network runs WPA2 on a combination cable modem/wireless router leased by my internet service provider (ISP), so I assumed the cable company might have sent me an alert. A search of previous emails turned up nothing.

I visited the ISP’s website for instructions, but there were no alerts on the home page and no messages. I asked the automated assistant about the status of a patch and it responded with the chatbot equivalent of a blank stare. There were a couple of questions posted in the community forums, but no one from the ISP had responded.

It wasn’t until I called technical support and got a person on the line that I learned my router was unaffected. That was a relief, but how many consumers would have gone to such lengths? How many would even know that this KRACK vulnerability existed, much less how to apply a patch?

Flying Under the Radar

Therein lies one of the biggest wireless security lessons of the WPA2 vulnerability: Few people are aware of it, fewer know how to patch it and fewer still will bother to do so.

The KRACK compromise is a game changer because it affects internet infrastructure rather than end-user devices. That makes tracking down and fixing the problem exponentially more difficult than expunging a virus. PC and mobile device-makers can automatically patch new vulnerabilities in their periodic updates, but few of the millions of off-the-shelf routers and wireless access points in small businesses and homes around the world have such capabilities.

A lot more semi-intelligent wireless devices are about to come online with the Internet of Things (IoT). Most will communicate over Wi-Fi or Bluetooth, the latter of which has recently been shown to be vulnerable to the BlueBorne attack. These weaknesses may be rather arcane and difficult to exploit for now, but as the Electronic Frontier Foundation (EFF) recently pointed out, “it’s the kind of thing that will likely soon be automated in software,” distributed on the Dark Web and used by attackers to target the masses of unpatched equipment.

That’s the second major wireless security lesson of the WPA2 vulnerability: The attack surface has now expanded to include infrastructure. Vulnerabilities at the infrastructure level affect many more people and devices than those at the device level because the resource is shared. In the case of WPA2, attackers don’t even have to connect to the network, said David Gorodyansky, CEO of AnchorFree, in an interview with The Next Web. They can “listen to the data you exchange with an access point and emit their own packets to change things on your system and the router.”

Infrastructure vulnerabilities are not only more insidious, but also harder to repair, because core devices are intentionally made to be difficult to access. Patching them often requires technical expertise that the average consumer or small business owner doesn’t have.

Assume Nothing When It Comes to Wireless Security

There’s no guarantee that just because a technology is widely used that it’s safe. The Heartbleed OpenSSL vulnerability proved that fact. WPA2 is even worse because it’s been around for 13 years and there are a lot more devices that use it than used Open SSL. This is a third major lesson: Don’t assume that popular means protected.

One reason it took so long for researchers to identify the KRACK vulnerability is because WPA2 isn’t easy to test. As the EFF put it, “Important protocols like WPA and WPA2 should be open and free to the public so that security researchers can investigate and catch these sorts of vulnerabilities early … before [they’re] embedded in billions of devices.” How many IoT device-makers open source their software?

Waiting for researchers to stumble upon a problem isn’t an enterprise security strategy. Current security strategies have focused on protecting endpoints on the corporate network, but many IoT devices communicate directly with manufacturers or control hubs over the public internet, 4G networks or Bluetooth.

Protecting Networks and Endpoints

That’s why the fourth major lesson of WPA2 is that enterprise security needs to protect endpoints and the corporate network alike. One recent survey of federal agencies found that 44 percent of endpoints are unknown or unprotected, meaning there is no way to detect if they have been compromised. Once these devices connect to the network, whatever exploits have affected them become the organization’s problem.

Device-makers can do their part by building basic functionality like simple network management protocol (SNMP) compatibility and remote update features into their products. Security companies can take connected device threats more seriously in their product development. All this needs to be wrapped in enhanced user training based on the belief that security is everyone’s responsibility.

The most alarming lesson I learned from this exercise is that my own ISP didn’t take very seriously a flaw that potentially could have affected all its customers. As long as we trivialize these vulnerabilities as the domain of tech geeks, the bad guys will have an open field.

More from Endpoint

Unified endpoint management for purpose-based devices

4 min read - As purpose-built devices become increasingly common, the challenges associated with their unique management and security needs are becoming clear. What are purpose-built devices? Most fall under the category of rugged IoT devices typically used outside of an office environment and which often run on a different operating system than typical office devices. Examples include ruggedized tablets and smartphones, handheld scanners and kiosks. Many different industries are utilizing purpose-built devices, including travel and transportation, retail, warehouse and distribution, manufacturing (including automotive)…

Virtual credit card fraud: An old scam reinvented

3 min read - In today's rapidly evolving financial landscape, as banks continue to broaden their range of services and embrace innovative technologies, they find themselves at the forefront of a dual-edged sword. While these advancements promise greater convenience and accessibility for customers, they also inadvertently expose the financial industry to an ever-shifting spectrum of emerging fraud trends. This delicate balance between new offerings and security controls is a key part of the modern banking challenges. In this blog, we explore such an example.…

Endpoint security in the cloud: What you need to know

9 min read - Cloud security is a buzzword in the world of technology these days — but not without good reason. Endpoint security is now one of the major concerns for businesses across the world. With ever-increasing incidents of data thefts and security breaches, it has become essential for companies to use efficient endpoint security for all their endpoints to prevent any loss of data. Security breaches can lead to billions of dollars worth of loss, not to mention the negative press in…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today