Updated: May 13
What is a KRACK attack?
Key reinstallation attacks (KRACK) are a type of cyberattack that exploit a vulnerability in WPA2 for the purpose of stealing data transmitted over networks.
These attacks can result in the theft of sensitive information like login credentials, credit card numbers, private chats, and any other data the victim transmits over the web. KRACKs can also be used to perform on-path attacks, serving the victim a fake website or injecting malicious code into a legitimate site.
But first, let’s clarify what an attacker can and cannot do using the KRACK vulnerability. The attacker can intercept some of the traffic between your device and your router. If traffic is encrypted properly using HTTPS, an attacker can’t look at this traffic. Attackers can’t obtain your Wi-Fi password using this vulnerability. They can just look at your unencrypted traffic if they know what they’re doing. With some devices, attackers can also perform packet injection and do some nasty things. This vulnerability is like sharing the same WiFi network in a coffee shop or airport.
There’s at least a theoretical possibility that this vulnerability could be exploited by hackers to make it more scalable as an attack vector in future — thinking of, for example, how worms have been developed and released that spread from one insecure IoT device to another to build a zombie botnet. But currently this is not the case.
What is WPA2?
Wi-Fi Protected Access II (WPA2) is a security protocol that protects virtually all secured WiFi networks. WPA2 uses strong encryption to protect communications between a user’s device and the device providing the WiFi. This is meant to stop anyone who might intercept the communication from making sense of the captured data.
The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected. To prevent the attack, users must update affected products as soon as security updates become available. Note that if your device supports Wi-Fi, it is most likely affected. During our initial research, we discovered ourselves that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others, are all affected by some variant of the attacks. For more information about specific products, consult the database of CERT/CC, or contact your vendor.
Key reinstallation attacks: high level description.
In a key reinstallation attack, the adversary tricks a victim into reinstalling an already-in-use key. This is achieved by manipulating and replaying cryptographic handshake messages. When the victim reinstalls the key, associated parameters such as the incremental transmit packet number (i.e. nonce) and receive packet number (i.e. replay counter) are reset to their initial value. Essentially, to guarantee security, a key should only be installed and used once. Unfortunately, we found this is not guaranteed by the WPA2 protocol. By manipulating cryptographic handshakes, we can abuse this weakness in practice.
How to protect against KRACK attacks:
Fortunately, security experts discovered the KRACK vulnerability before attackers started using it, so there aren’t currently any reports of KRACK attacks in the wild. Even so, operating systems have been patching the vulnerability to ensure it isn’t used against their devices.
Windows, OSX, Linux, Android, and iOS have all patched their software to address KRACK attacks. Users should update their operating systems to ensure they are protected. Additionally, when surfing the web, users should always browse over HTTPS when possible – this can be verified in most browsers by a symbol marking a secure connection.
Look to your router:
Your router’s firmware absolutely needs updating. If the router has been supplied by your ISP, ask the company when their branded kit will be patched. If they don’t have an answer, keep asking. You can make sure your router is up-to-date by browsing the administration panel. Find the user guide for your ISP-branded router and follow the instructions to connect to the admin pages.
If your ISP is not quickly putting out a firmware update to fix KRACK, it may be time to consider switching your ISP. A less drastic option would be to buy a WiFi access point from a responsible company that has already issued a patch. Plugging a WiFi access point into your ISP router and disabling WiFi on your ISP junk is a good alternative.
If your router doesn’t yet have a fix, and you don’t have a patched WiFi access point that could be used for wireless instead, you could Ethernet into your router and turn off its wireless function until it’s patched (assuming WiFi can be disabled on your router). Turn off WiFi on your device as well so that you’re sure all traffic goes through that sweet Ethernet cable.
Consider using cellular data on your phone:
Your phones and tablets don’t have an Ethernet port. If you want to make sure nobody is watching your traffic, disable WiFi on your device and use cellular data instead. This isn’t ideal if you live somewhere with a spotty network, pay extra for mobile data, or if you don’t trust your telecom provider.
Install the HTTPS Everywhere extension:
As mentioned above, you can mitigate risks by prioritizing encrypted internet traffic over unencrypted traffic. The EFF has released a neat browser extension called HTTPS Everywhere. If you’re using Google Chrome, Firefox or Opera, you should considering installing the extension. There’s no need to configure it, so anybody can do it.