Juha Saarinen: Watch out for the KRACK hack attack

Clever KRACK notwithstanding, an attack isn't easy to pull off and requires proximity to the WiFi access point. Photo / 123RF

On the surface, a tried and tested security vulnerability in the world's most popular way to network, wirelessly with WiFi, is really bad news.

Making it worse, the flaw is in the protocol used to secure WiFi connections. It means that even if vendors follow the specifications for the WiFi Protected Access version 2 (WPA2) industry standard protocol to the letter and do everything right, hackers can still get through.

Add to that the fact that billions of not very old and still in use WiFi enabled devices, from routers to smartphones to laptop computers and more will never see an upgrade that fixes the problem.

That means devices from all vendors are open to interception and traffic injection.

The exploit for the flaw is very clever, and calling it KRACK is genius branding because Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 as the name of the research paper is would make people's eyes glaze over and possibly ignore the threat.

Luckily, it's not Doomsday for WiFi yet. Clever KRACK notwithstanding, the attack isn't easy to pull off and requires proximity to the WiFi access point. Big companies like Microsoft and Apple have been notified and there are software fixes available to plug the KRACK menace, so please make sure you install any security updates that arrive.

Making sure that traffic you send and receive over WiFi is encrypted will also help protect against your data being taken or tampered with, although this again depends on if for instance the Transport Layer Security (TLS) protocol is set up right with up to date software.

There are some important lessons to learn from KRACK. First, industry standard specifications need to be reviewed regularly. Sometimes they're so complex that vendors creating products with them get it wrong, as is the case with the BlueBorne Bluetooth vulnerability that was also discovered recently.

Technical specifications can also be buggy, or contain flaws that nobody thought of at the time they were written. The researchers who discovered KRACK noted that other protocols could have the same sort of flaw, and they probably need to be rethought and updated as well.

Second, KRACK is a strong argument for using software defined networking (SDN). This is next-generation technology that New Zealand led the world in before a law change forced the test lab out of the country.

Without going into too much geeky detail, SDN makes it fast and easy to reconfigure and update network gear when these security alerts appear. That's exactly what you want, especially for companies and public-facing networks where updating each connection device is difficult, risky and takes a long time to do.

The United States National Security Agency (NSA) is a proponent of SDN which says it all.
In other words, we should anticipate that just about everything can and will go wrong at some point, and be ready to fix it.

That's an obvious thing to say. I'm still nevertheless betting that open, totally unprotected WiFi that's found everywhere despite all the warnings will remain a greater threat to users for the next few years than the KRACK hack attack.