As the dust settles on the KRACK vulnerability and vendors distribute patches to decrease our exposure to this challenge, I’ve been thinking about whether KRACK was really about exploiting a vulnerability and what that means about securing systems. Over the last four years or so, there have been some significant milestones or events when it comes to infosec. I think KRACK is one of those pivot moments.
A few years ago we had Heartbleed. This was a bug in the source code for OpenSSL that was exposed in 2014 which exploited a flaw in the way input validation worked.
More recently, we had WannaCry which took advantage of a vulnerability in the SMB 1 protocol to self-propagate a ransomware payload. We then had the more heavily weaponised NotPetya which built on parts pf WannaCry.
The thing about those attacks is that, while they may have been preventable had companies followed some basic cyber-hygiene like patching systems, they took advantage of flaws in previously trusted, and quite old, software,
KRACK is a different type of threat in my view.
Until now, we have believed that WPA2 has been unbreakable. Without it, we cannot trust that communications on our wireless networks is secure. What’s important to understand, and I know this is a nuanced point, is that the encryption in WPA2 has not been broken. Rather, it has been circumvented.
Peter Gutmann, from the Univeristy of Canterbury in New Zealand, has spoken on the topic of encryption many times. He is one of the architects of PGP and a world renowned crypto expert. He has pointed out many times that the bad guys don’t bother trying to break encryption like we see in movies snd TV. Rather, they simply work around the encryption.
The KRACK exploit is a prime example of this. Mathy Vanhoef and Frank Piessens’ research doesn’t break the encryption per se. It works around it, rendering it useless.
That might be a subtle difference but it should inform our security procedures, code-checking practices and other infosec-related activities. We need to think laterally about how systems can be exploited. While past threats and exploits were about punching your way through defences, KRACK is about looking at the detail of how a process works and then finding a way to enter the process sideways in order to bypass a control.
How this is going to play out in the long term is anyone’s guess. But I think it’s time to rethink assumptions about the building blocks of our networks and security – the low-level protocols upon which everything is based – and start looking at how someone might work around systems that, until now, seem invulnerable.