The KRACK vulnerability has been one of the many highly publicised cyber security weaknesses that are more frequently making it to the front pages of news papers and websites.
KRACK or Key Reinstallation Attacks allow attackers to break the encryption that protects your traffic while traversing the air between your device and its connected wireless access point.
The recent news and subsequent publicity around the KRACK vulnerability has meant that many more people now know what WPA2 (Wi-Fi Protected Access) is and the risks to their privacy and security when using Wi-Fi without encryption.
KRACK and vulnerabilities like it raise questions about the use of encryption and the perception of its safety as it applies to most users. Research has shown that, in the developed world, Internet access has become a fundamental human right. Multiple initiatives are underway with only one goal in mind; connect the whole planet. Soon a user will be able to get online wherever they happen to be on the planet.
As of July 2017, it was estimated that 51.7% of the world population now has Internet access in some form, with uptake in developing countries growing exponentially. The vast amount of data created by all of these users will be of paramount interest to all sorts of third parties – marketing and advertising companies; governments tracking their citizens and by more nefarious types too.
Encryption is the key to keeping people safe online. Recently it has become a thorny subject and one where the views of the government can differ greatly from that of experts. Encryption is a mathematical formula that randomises data to make the original content unreadable to unauthorized parties. Almost every commonly used encryption algorithm produces at least one string of numbers that can be used to decipher the data into its original legible form. This string of number is the key.
The protection provided by a good encryption algorithm is its resistance to brute-forcing, a method of hacking by taking attempts at guessing the key. A key must be large enough so that an attacker or snooper cannot guess the combination of numbers in any reasonable amount of time. An additional method of protection comes from the algorithms resistance to cryptanalysis, the process of deciphering the encrypted message by analyzing the algorithm and its output.
Every piece of data that is encrypted has it own randomized key that is required to reconstruct the original form. This means that even if a cybercriminal stole your businesses encrypted files it would potentially take them hundreds of years to crack each of the keys.
Since its inception, the government has wanted a way to access encrypted data on a massive scale. Backdoors – a method of bypassing normal authentication – have been suggested as a means of ‘lawful hacking’ by various national security agencies.
To introduce a new standard encryption algorithm that has a backdoor, the government would need to build a legal framework to enforce its adoption; assuming private sector organisations would not voluntarily implement flawed security internally or into their products.
The problem with forcing a change in standards is that they are currently set by the ISO (the International Organisation for Standardisation) who have already rejected new standards from the US intelligence agency, the NSA (National Security Agency), based on the fears of a hidden backdoor. Additional problems arise when you consider that the ISO do not enforce these standards and there is no global governmental organisation that could do this. If an encryption backdoor is to be rolled out in a small selection of countries, criminal communications would be the least of the governments concerns as adversary governments shift all their cyber resources into exploiting this backdoor.
The economic impact of a legal framework enforcing businesses to implement flawed and vulnerable security measures would be significant to say the least. Companies that are subject to any such laws would likely see a significant drop in international trade as consumers choose to go with safer options that protect their personal data and don’t facilitate potential government surveillance. That data security savvy public we now have? They will vote with their feet.
It is essential that governments seek to understand how encryption underpins the safety of our ever-growing digital lives. Putting your citizens and the country’s national infrastructure at risk is not the only option to combat organisations using encryption. The UK government already has the power to surveil and record every citizens internet traffic. They also have the power to compel the owner of encrypted data to decrypt it.
Although KRACK might seem like a huge threat to our general security, it isn’t. Thanks to the responsible disclosure of the vulnerability, vendors have already taken affirmative action, and most have released a patch for affected devices.
Much more worrying is the relentless effort to force deliberately flawed encryption on the nation. It has the potential to harm businesses, national security and the security of its citizens. Its only effect on criminal organisations would be to drive them to use emerging technologies that are more secure, more undetectable and far less understood. There is no patch or easily followed advice for this, the damage would be permanent, and the solution would end up making the problem worse.