A vulnerability in Wi-Fi encryption has sent the entire tech industry scrambling; the so-called Krack attack affects nearly every wireless device to some extent, leaving them subject to hijacked internet connections. In terms of scope, it doesn’t get much worse—especially for the Internet of Things.

The extent of the Krack fallout remains to be seen. Security analysts say it’s a tricky vulnerability to take advantage of, and major platforms like iOS, macOS, and Windows are either unaffected or have already been patched. But given the millions of routers and other IoT devices that will likely never see a fix, the true cost of Krack could play out for years.

“For the general sphere of IoT devices, like security cameras, we’re not just underwater,” says Kevin Fu, a computer scientist at the University of Michigan who focuses on medical device security. “We’re under quicksand under water.”

Krack exposes just how deeply those problems run—and how slowly the industry has moved to fix them.

Catastrophe

Whatever advice you may have heard for dealing with Krack, only one actually has tangible benefit: Patch your devices. (You can find a running list of companies that have provided one here.)

If you have an iPhone, Mac, or Windows computer, you really should patch right now. If you have an Android device, an update’s in the offing, though it may take some time to reach you if you have anything but a Pixel or Nexus. But after that, you're all set! Those are in good shape.

'We're not just underwater. We're under quicksand under water.' Prof. Kevin Fu, University of Michigan

But your router? Your security camera? Your internet-connected garage door? Get comfy.

“We’re probably still going to find vulnerable devices 20 years from now,” says HD Moore, a network security researcher at Atredis Partners.

That’s because even under the best of circumstances, IoT devices rarely receive the necessary software updates to correct security issues. For a problem as complex as Krack, which impacts the industry at a protocol level and requires a coordinated effort to fix, in many cases your best bet is just to buy new equipment once patched options are on the market.

The challenges also go beyond the mere availability of a patch. Take Netgear. To its credit, the company made fixes available for a dozen of its router models the day that Krack went public. But it makes over 1200 products, each of which needs to be tested for specific Krack impact. In many cases, Netgear also can’t make those fixes alone; it needs its chipset partners to tackle the issue as well.

And when those patches do become available, the company has limited ways to inform customers they need to update as soon as possible. It sends emails to those who register their products, and sends out an advisory, and posts in community forums. The remainder of Netgear customers—the bulk of them—will have to read a news report like this one, and hunt down the right download link to install the fix. And even if they do that, the actual patching process requires logging into Netgear’s access point web-management interface from your computer, which may rightly baffle a number of router owners.

“I wouldn’t claim that anyone can just do it,” says Netgear CIO Tejas Shah. “We recognize the need to educate the customer and help the customer when they’re faced with this problem.”

Those issues aren’t unique to Netgear, which, again, gets a star for making patches immediately available. But they do underscore just how ill-prepared wireless devices are for this kind of industry-wide calamity.

And that’s just routers, which people by and large are at least aware connect to the internet. IoT devices are a whole extra level of opaque.

“Users aren’t even going to realize that they have a Wi-Fi IoT device. The refrigerator could be one of those,” says Bob Rudis, chief data scientist at security company Rapid7. “The fridge is probably not going to get patches on its own.”