Over the last several days details have been released concerning a new type of security attack called Krack. This attack is focused on Wi-Fi connected devices using the latest Wi-Fi security standards. This attack impacts devices and software from many vendors including Aruba, Cisco, Fortinet, FreeBSD, Intel, Juniper, Red Hat, Samsung, Ubiquiti, and others. The attack can result in the compromise of data being transmitted via Wi-Fi.
In particular, IoT devices have been identified as being particularly at risk devices as many of these may be running older versions of software and chipsets. All of the major vendors have been working on fixes and updates, but many of those have yet to be released. At this point no specific attack has been identified using this new method, but it is only a matter of time now.
This attack provides additional evidence that we really need to rethink how we manage our devices and how we connect our devices together. For example, many organizations have what I call "M&M Security". This security model is a hard outer shell and then a soft center. The Krack attack means someone sitting outside of an office where Wi-Fi is available could potentially gain access to the network bypassing the thick security layers. If the internal network is not properly segmented, controlled, data protection layers enforced, and so forth, it can easily open the company to additional attacks and data loss. Likewise, with IoT devices becoming more commonplace in the enterprise, using older devices and older software on those devices can provide a new way to attack and steal data.
Ultimately we need to take an operational model in which we assume a state of breach at all times. If we assume a state of breach, operate under this model, and plan our devices and systems for a state of breach, I think we will end up having more secure systems, better data protections, and will be better prepared to address these new threats.
In the meantime, we need to be ready to start major patching. Krack will impact many mobile devices, IoT devices, Wi-Fi Access Points, and other network systems. And, we need to make sure systems are protected because any public Wi-Fi point is now a potential target. Hopefully your employees aren't doing any business work while sitting at the coffee shop or airport and using Wi-Fi right now!
The attack could also be devastating for IoT devices, as vendors often fail to implement acceptable security standards or update systems in the supply chain, which has already led to millions of vulnerable and unpatched IoT devices being exposed for use by botnets.