How did a bug like krack fester in WPA2, the 13-year-old wifi standard whose flaws have rendered hundreds of millions of devices insecure, some of them permanently so?
Thank the IEEE's business model. The IEEE is the standards body that developed WPA2, and they fund their operations by charging hundreds of dollars to review the WPA2 standard, and hundreds more for each of the standards it builds upon, so that would-be auditors of the protocol have to shell out thousands just to start looking.
It's an issue that Carl Mamamud, Public Resource and the Electronic Frontier Foundation have been fighting hard on for years, ensuring that the standards that undergird public safety and vital infrastructure are available for anyone to review, audit and criticize.
The need for security standards to be freely auditable was also at the center of the W3C's catastrophic decision to standardize DRM for 3 billion browser users: EFF proposed that W3C members should pledge not to threaten security researchers who discovered defects in the W3C standard, and the members refused, with the backing of the W3C exec (which is why EFF resigned).
Any impediment to independent scrutiny of standards is a form of high-interest, high-risk technology debt and the bill always comes due.
Researchers note that standards development processes are unwieldy and time-consuming, which can make working groups inflexible and unwilling to evolve once they've put significant effort into a certain approach. "I've seen this over and over," Matt Blaze, a security researcher at the University of Pennsylvania, wrote on Twitter on Tuesday. "Eventually, the most talented people stop showing up to the meetings and no one feels empowered to restart from scratch. Sunk cost fallacy. The people involved aren't dumb, and they're working hard to do a good job. But the process is effectively rigged to produce crap like this."
And since it's difficult to access the documentation for many wireless security standards produced in these closed-door processes, researchers naturally turn their bug-hunting focus elsewhere. Johns Hopkins' Green notes that the researcher at Belgian university KU Leuven who found the WPA2 bug, Mathy Vanhoef, is one of only a few people working in the area. "Given the small number of people paying attention, it's a lot of bugs," Green says.
[Lily Hay Newman/Wired]
(Image: Peter Hosey, CC-BY)