KRACK requires a skilled attacker to be in close proximity, targeting you specifically. If you’re concerned about an auxiliary corporate WiFi network, it may be wise to take it off-line and rely on ethernet until patches for affected devices become available. And if you are running a hospital WiFi network, you should ensure that the data you send over that network is end-to-end encrypted, because WPA2 will not prevent a skilled attacker from gaining access to a person’s most sensitive data. Yes, this is a hassle but it’s a good precautionary step to take, since getting within WiFi range (~105ft or 32m) may not be difficult for an intruder unless you have strict access controls in place. Beyond this, it will be important to update every device as soon as patches are available.
How Did We Get Here?
Code reuse, it turns out, is vulnerability reuse.
Vulnerabilities like KRACK or Devil’s Ivy are coming out now because we have more sophisticated ways to look for vulnerabilities, there is more light shining into the dark corners of IoT security, and we are asking more questions. We are at a renaissance of device security, coming out of the shadow of security by obscurity, and attempting to fix the flaws that have been built into our infrastructure through trust that the most secure solution is actually secure. We have to begin understanding that the most commonly used solutions are not, in fact, totally secure, and protect ourselves by building up layers of security.