The recent catastrophic Wi-Fi vulnerability was in plain sight for 13 years behind a corporate paywall

Posted on Oct 22, 2017 by Rick Falkvinge

The recent Wi-Fi “KRACK” vulnerability, which allowed anyone to get onto a secure network (and which was quickly patched by reputable vendors), had been in plain sight behind a corporate-level paywall for 13 years. This raises a number of relevant, interesting, and uncomfortable questions.

When this week’s KRACK wi-fi vulnerabity hit, I saw a series of tweets from Emin Gür Sirer, who’s mostly tweeting on bitcoin topics but seemed to know something many didn’t about this particular Wi-Fi vulnerability: it had been in plain sight, but behind paywalls with corporate level fees, for thirteen years. That’s how long it took open source to catch up with the destructiveness of a paywall.

Apparently, WPA2 was based on IEEE standards, which are locked up behind subscription fees that are so steep that open source activists and coders are just locked out from looking at them. This, in turn, meant that this vulnerability was in plain sight for anybody who could afford to look at it for almost a decade and a half. There are so many issues and followup questions on this, it deserves at least two more articles on the same topic, just for headlines to cover one important point at a time (yes, that’s necessary today).

This also means that one of two things were true: one, those who could afford to look at it didn’t bother to look at it, or two, those who would bother to look at it and understand it couldn’t afford to do so. Both are problematic. (There’s also a third option, even more problematic, below – when an actor who can both afford and understand it keeps the research to themselves as a zero-day sploit.)

The first obvious point is that security doesn’t work if it’s not out in the open. If this wasn’t the final nail in the coffin for security through obscurity – where paywalls are definitely included in the obscurity concept – then I don’t know what would be.

The second point is that this isn’t the only standard we rely on for security that is based on locked-up evidence of security. As has been shown, it may be that each component of the security stack passed its unit test, but the integration tests clearly were insufficient. In other words, it doesn’t matter if all proofs of security come out right, if you’re not sure you’ve proven the whole system to be secure (as opposed to just individual pieces of it). We can expect several more severe vulnerabilities to be in plain sight behind corporate paywalls.

The third point, which is going to be expanded in the first followup article, is that while ordinary activists and coders were locked out of reviewing these documents, the NSA and the like had no shortage of budget to pay for subscriptions to these specifications. Thus, the IEEE’s paywall was lopsiding the security field toward mass surveillance, away from security.

The fourth point, which also merits expansion, is that if something as severe as this was unread for thirteen years because it was behind a paywall — what does that say about legacy media’s current infatuation with paywalls to protect their “genuine journalism”?

Privacy remains your own responsibility.

Comments are closed.

4 Comments

  1. Troy Martin

    IEEE has released the 802.11 Wi-Fi specifications to academia/research for more than a decade at no cost. IEEE802.11-2016 is latest standard which includes the 802.11i (WPA2) ratification rolled in as clause 12. Available here at no cost (but users must create an account) http://ieeexplore.ieee.org/document/7786995/

    6 years ago
  2. Caleb Cushing

    you’re missing those that could afford to look at it, but didn’t understand the security implications; because secure programming is not generally taught in school. IMO, as a Software Developer, every single developer should be taught how to write exploits (for pen testing) and how to defend against them.

    6 years ago
  3. Brett

    > subscription fees that are so steep that open source activists and coders are just locked out from looking at them

    No, they’re not. The most expensive 2018 membership fees are $201 US. Please don’t spread this sort of anti information. The fees are not the reason this wasn’t found until now.

    There is a huge difference between releasing a spec (that is now also public) and finding an exploitable flaw in that spec. Paywalls suck, but this is not an applicable case. Don’t spread lies.

    6 years ago
    1. Brett

      Also, it’s not corporate. IEEE is a non-profit organization.

      6 years ago