There are many ways a KRACK attack could go down, among them injecting malware into the right networks, capturing a crucial communication and making it public, and still other forms of attack.
Even if the KRACK bug, or Key Reinstallation Attack, is not the best route to power a DDoS attack designed to turn off power grids, shut down banking systems or worse (and all that may be possible), it represents an extinction-level security nightmare with email and any other network traffic, regardless of encryption, now within reach of any hacker who knows how to do the exploit.
Jab, Block, Repeat
Today, cybersecurity is about staying current with threats, because there is no such thing as making things threat-proof. The key is agility and perseverance. Hackers never stop trying to break into the hardest things to crack. Access equals payday for them.
Don't be too impressed by the bad guys. The fact is, the people paid to stop them--and the organizations that hire them--are just as hardcore, sometimes more so. The goal is to match the hackers' brand of ceaselessness--Spy versus Spy, white hat versus black hat, intensity versus intensity.
Imagine two well-matched boxers. In the middle of a good fight, there is sometimes no way to stop them from going at it till someone hits the mat. We're at that point in the history of cybersecurity.
When the Mirai malware attack took out the Dyn servers and hundreds of sites that included Amazon, Netflix, Twitter, CNN and Reddit, the world sat up and took notice. It was the first whiff of the way Internet of Things (IoT) devices could be used to launch a cyberattack.
Some companies made it their business to work on securing their products--they weren't Mirai-proof, but they were inoculated by that attack enough to start working on solutions. Eero is one of those Internet of Things manufacturers that clearly took notice. At the moment, they are doing IoT right, but being cybersecure is a transient state. Let's stick with the boxing metaphor. While you're playing to the crowd after knocking the other guy down, your opponent could get up and punch your lights out. There will almost certainly come a time when what the best cybersecurity operations out there are doing now will no longer work. You're only as good as the last hacker you stopped.
The problem with cybersecurity is the fleeting nature of functional security.
So, what's Eero doing? Simple. They are building connected devices that are patchable (a quick techspeak way of indicating devices that are capable of being updated), and they've got a rapid response system in place.
How do we know that? Again, it's a no-brainer. They had a patch ready in very short order when the latest news of a near-universal vulnerability came down the pike in the form of KRACK. Eero was not alone: Ubiquiti and Aruba had patches, too. But those companies are in the minority in a very big field of competitors that are not as cybersecurity-minded.
If the above doesn't make you want to stand up and cheer with tears in your eyes for the likes of Eero, Ubiquiti and Aruba, you're not alone--and therein lies the real kernel of the cyber-insecurity pandemic we face globally.
We need to better understand how to survive, and that means holding up examples of people and organizations that are doing things right. Only that will make us collectively more secure. We need to make cybersecurity a matter of muscle memory. Jab, block, repeat.
What Needed Patching?
Are you familiar with something called WiFi-Protected Access?
How about if I write it like this: WPA. You've probably seen THAT while setting up a smart device. WPA and WPA2 are security options when you connect a device to the internet.
The KRACK attack takes advantage of the 4-way handshake that happens when a device with a pre-shared password comes in range of a network.
The vulnerability was discovered by an academic named Mathy Vanhoef, who found that the Key Reinstallation Attack could allow a hacker to hijack connections and even inject content--including malware--into a traffic stream. The flaw would allow access to anything that uses the WPA2 network, and with that the ability to see everything that happens on that network. Think: skywriting.
Now think about your connected devices. Did you register any of them? What's your company policy about connected devices? The federal government is just now trying to establish a policy with legislation introduced by U.S. Senators Steve Daines (R-MT), Cory Gardner (R-CO), Mark Warner (D-VA) and Ron Wyden (D-OR) called the Internet of Things Cybersecurity Improvement Act of 2017. While it's bare bones, it's a whole lot better than nothing. There are requirements about patchability and other important baseline security considerations.
Do you have anything like that in your world?
Many IoT devices and routers are not registered, so it's impossible to get the word out to their owners--much less send a patch to protect them from attack. The bigger issue is that the majority of older connected devices out there cannot be patched. There is no way to do it.
And therein lies the biggest problem: this vulnerability is going to plague us for years to come.
The Unplanned Obsolescence of Your Connected Devices
Forget the danger of auto-updates and hackers who can use them to push malware. We are living in a virtual city that was built on shoddy foundations.
As such, the very structure of the way we connect is the problem. Because the way we connect is the problem, until those old structures are demolished to make way for new edifices (in this case new tech), the problem will persist.
Here is a problem cannot be reverse-engineered (at least not yet). Think of it instead as a situation to be survived. This is the reason that true security is a matter of culture--training employees to be careful and take ownership of cybersecurity--rather than a technological problem to be solved.
IoT baseline security for consumers needs to be established, or it will be regulated in the same way that is currently being figured out by Congress, and that will only serve to slow everything down and kill creativity.
It's time to get current, and stay current, or get left behind.