Recently a vulnerability called KRACK in Wi-Fi security, which exploited the Key Reinstallation process part of WPA2, was discovered and published by researchers. This impacts all manner of Wi-Fi-based devices, including phones and laptops, but more importantly it’s affecting connected cameras, bulbs, medical devices, and HVAC systems as well. This class of devices, referred to as IoT devices, are especially vulnerable because they don’t come with an easy way to locate, identify, and update them in the field. Since these devices do not have a user interaction model or attendant management infrastructure such as the ones that are taken for granted with smartphones, they are at risk for an extended period of time.
Vendors are, rightly, working diligently to make software updates available that will patch the issue. Even after the patch is made available, the issue still remains because distributing these updates to the product fleet is a significant gap. Current retrofitting processes, such as emailing customers or dispatching field service teams to update the products, are simply too slow, expensive, or do not provide enough coverage. According to HD Moore, a network security researcher at Atredis Partners, some of these devices may stay vulnerable for decades.
The solution lies in designing in an efficient device management service for product fleets, be it consumer or commercial connected products, from day one as insurance against future vulnerabilities. The service needs to have three key aspects:
Silicon Labs’ offers a solution to this problem in the form a cloud-based service called Zentri Device Management Service. This is a hardware agnostic service that is already helping customers identify the security posture of their fleet and apply software updates gradually or all at once. Additionally, the service can monitor the security fleet and be used to selectively disable or de-activate compromised devices.