The revelation of the Krack vulnerability this week shines an extreme highlight on the broad reach of the Internet of Things and the way security for this emerging technology is often viewed as an afterthought. The Krack vulnerability lies in an exploit of the WPA2 protocol used to secure devices like routers and other WiFi connected devices.
Why a Fix Isn’t Simple
A recurring problem we are encountering in the IoT field is the fact that millions of internet-enabled devices often lack an easily accessible interface through which users can update and safeguard their connections. This means that even though the Krack vulnerability poses little risk to new Windows operating systems, MacOS, or iOS devices used by consumers, many other devices remain vulnerable. Internet-enabled embedded devices running Android or Linux often lack the interfaces necessary to change settings or receive updates, and may never be adequately patched, even if a patch does exist.
This means that millions of routers, security cameras, smart appliances, or home automation systems may be vulnerable for a decade or more.
While phones and devices with application interfaces may be easily updated for a patch, many other devices will remain at risk of being exploited. The difficulty is further compounded by the fact that because the vulnerability lies in the protocol itself, it requires a highly coordinated effort to patch. There may be thousands of models in any given hardware company that must be tested for compatibility once the patch is designed, and that’s without considering the impossibility of personally reaching every effected customer to ensure they install the patch.
What it Means for IoT and Embedded Devices in the Future
Undoubtedly, more equipment manufacturers will realize that they can no longer simply supply internet-connected hardware without making conscious efforts at protecting those devices from current and future vulnerabilities. We expect to see more manufacturers shipping IoT and embedded equipment with interfaces that allow users to access patches and updates. Auto-updates (not without their own risks) will also likely become more common for connected devices.
As the industry circles around best practices for security, new standards will emerge that will dictate the minimum security measures necessary for IoT and embedded devices. It’s also entirely possible that regulation will require a basic minimum of security for products sold to consumers or enterprise customers, or demand recalls for vulnerable products.
What Can Manufacturers Do?
Manufacturers of internet-connected equipment should be preparing for the future of a riskier IoT. That means developing products that adhere to the latest security standards, and ensuring that they are able to push updates to devices that become vulnerable. It means having the ability to contact users about new security vulnerabilities and giving them an interface for monitoring and updating their equipment. It also means building in the capabilities for a recall of vulnerable devices when updates are unavailable or patches cannot be made in a timely manner.