What KRACK Teaches Us

As the full ramifications of the KRACK exploit continue to expand, it is clear that the IoT world is completely unprepared for this type of event.  Moreover, it is apparent that the majority of periphery-based and API-based solutions are not sufficient to protect this space.  At Bear, we have long-stated that protecting the IoT has to occur in the same manner as traditional enterprise is protected – namely with on-device agents.

Smart hubs, secure network devices, and other remote approaches do not solve this issue as the compromise happens within and between these IoT devices.  API-based systems have no ability to protect devices as they are mostly glorified application libraries that have zero ability to do more than protect a small segment of the overall IoT environment.

The reality is that the only type of protection that can overcome this exploit has to occur based on making changes to each device and that effort, at the scale of the IoT, is overwhelming with current approaches.  With an agent controlling a full stack of security, such as what Bear provides, this capability is not only possible but can occur in real-time and can be done without any unwanted disruptions.

For those that are unaware, the IoT comprises roughly 80% of modern enterprises and, as of now, the vast majority of your networks will remain vulnerable to this exploit.

Isn’t it time for a better solution?

Here is an updated list of available patches for your non-IoT world:

Browsers

If you are worried about your web browsing traffic being snooped, you can use the HTTPS Everywhere extension.  PLEASE NOTE: This extension does NOT protect desktop-based email, files or anything else – just web-based traffic through your browser!

Routers

• Arch Linux: WPA Supplicant patch, Hostapd patch
• Aruba
• Belkin – says it will be a few weeks
• Cisco
  • Cisco Meraki
  • Security Advisory
• DD-WRT
• Debian/Ubuntu
• Fortinet
• LEDE/OpenWrt
• Linksys – a patch will be coming in a few weeks
• Microsoft
• MikroTik
• Meraki: Fixed with Meraki 24.11 and 25.7
• Netgear: WAC120, WAC505/WAC510, WAC720/730, WN604, WNAP210v2, WNAP320, WNDAP350, WNDAP620, WNDAP660, WND930
• Open BSD – https://marc.info/?l=openbsd-announce&m=148839684520133&w=2
• Ubiquiti
• Watchguard Cloud

Operating Systems

• Android
  • You have to wait until the 11/4 security release for a patch – if you have a Google phone…
  • Those who have any other Android phone will presumably have to wait even longer
• Apple
  • Their beta OS releases are patched
  • They are denying that their other OS releases are vulnerable…but they are working on a patch
• Linux
  • General Patch – https://w1.fi/security/2017-1/
  • Debian Users – http://seclists.org/bugtraq/2017/Oct/25
• Microsoft
  • There is a security advisory but we recommend using Windows Update
  • If you updated on or after 10/10/2017 you are safe

Chips

• Intel – https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00101&languageid=en-fr