Share on Facebook Share
Share on TwitterTweet
Share on Google Plus Plus
The recent Wi-Fi “KRACK” vulnerability, which allowed anyone to get onto a secure network (and which was quickly patched by reputable vendors), had been in plain sight behind a corporate-level paywall for 13 years. This raises a number of relevant, interesting, and uncomfortable questions.
When this week’s KRACK wi-fi vulnerabity hit, I saw a series of tweets from Emin Gür Sirer, who’s mostly tweeting on bitcoin topics but seemed to know something many didn’t about this particular Wi-Fi vulnerability: it had been in plain sight, but behind paywalls with corporate level fees, for thirteen years. That’s how long it took open source to catch up with the destructiveness of a paywall.
In this case, close scrutiny of the protocol would have (and in fact, did) uncovered the nonce reuse issues, but didn’t happen for 13 years.
— Emin Gün Sirer (@el33th4xor) October 16, 2017
Apparently, WPA2 was based on IEEE standards, which are locked up behind subscription fees that are so steep that open source activists and coders are just locked out from looking at them. This, in turn, meant that this vulnerability was in plain sight for anybody who could afford to look at it for almost a decade and a half. There are so many issues and followup questions on this, it deserves at least two more articles on the same topic, just for headlines to cover one important point at a time (yes, that’s necessary today).
This also means that one of two things were true: one, those who could afford to look at it didn’t bother to look at it, or two, those who would bother to look at it and understand it couldn’t afford