Today, a new vulnerability affecting the security of WPA2 protected wireless networks was disclosed. The Key Reinstallation Attack (KRACK) can render the network encryption transparent, allowing traffic to be viewed and – in certain circumstances – interfered with.
While the attack poses challenges for some network users, it does not affect the security of Electric Imp devices. The Electric Imp IoT platform was designed from the start to deal with real-world issues such as weak (or non-existent) network encryption, and so our platform treats all network links as untrusted. Instead, we rely on a mutually-authenticated TLS1.2 ECDHE link to secure the traffic between endpoint and cloud, preventing MITM attacks, data snooping and malicious traffic injection.
In addition to this transit security, we implement an Ed25519 based challenge-response to prevent device impersonation even in the event of a TLS key compromise.
When our silicon provider patches their WPA supplicant to withstand the KRACK attack, we will incorporate the fixes in our next impOS release, just as impOS 36 addressed the Broadpwn vulnerabilities revealed earlier this year. All devices on the Electric Imp IoT platform receive OS and security updates directly, relieving our customers from security maintenance duties and keeping the entire installed base fully patched and up to date.
Until that point, though an attacker within wireless range can – at worst – cause denial of service problems, they cannot interfere with, decrypt, or impersonate, valid imp traffic. It should be noted that any attacker within wireless range can also simply use a jammer to prevent network operation, which is a problem no amount of software can fix.
Hugo Fiennes
CEO and Co-Founder of Electric Imp