KRACK Wi-fi at­tack: How to stay safe


Adev­as­tat­ing flaw in Wi-fi’s WPA ( go.mac­ se­cu­rity pro­to­col makes it pos­si­ble for at­tack­ers to eaves­drop on your data when you con­nect to Wi-fi. Dubbed KRACK, the is­sue af­fects the Wi-fi pro­to­col it­self—not spe­cific prod­ucts or im­ple­men­ta­tions—and “works against all mod­ern pro­tected Wi-fi net­works,” ac­cord­ing to Mathy Van­hoef ( go.mac­, the re­searcher that dis­cov­ered it. That means that if your de­vice uses Wi-fi, KRACK likely im­pacts it. For­tu­nately, ma­jor tech com­pa­nies are

mov­ing quickly to patch the is­sue.

Read on for what you need to know about the KRACK Wi-fi vul­ner­a­bil­ity, from how it works to how to best pro­tect your­self against it. We’ll re­peat­edly up­date this ar­ti­cle as more in­for­ma­tion be­comes avail­able.


KRACK (short for, uh, Key Re­in­stal­la­tion At­tack) tar­gets the third step in a four-way au­then­ti­ca­tion “hand­shake” per­formed when your Wi-fi client de­vice at­tempts to con­nect to a pro­tected Wi-fi net­work. The en­cryp­tion key can be re­sent mul­ti­ple times dur­ing step three, and if at­tack­ers col­lect and re­play those re­trans­mis­sions in par­tic­u­lar ways, Wi-fi se­cu­rity en­cryp­tion can be bro­ken.

That’s the Cliff­s­notes ver­sion. For a more tech­ni­cally de­tailed ex­pla­na­tion, check out Mathy Van­hoef’s KRACK at­tacks web­site ( go.mac­


If your de­vice uses Wi-fi, it’s likely vul­ner­a­ble to the KRACK Wi-fi se­cu­rity flaw to some de­gree, though some get it worse than oth­ers. We go into greater de­tail about how par­tic­u­lar de­vices are af­fected by KRACK in a ded­i­cated sec­tion fur­ther be­low.


For starters, the at­tacker can eaves­drop on all traf­fic you send over the net­work. “This can be abused to steal sen­si­tive in­for­ma­tion such as credit card num­bers, pass­words, chat mes­sages, emails, pho­tos, and so on,” Van­hoef ex­plains. For a deeper look at the po­ten­tial im­pact, check out Pc­world’s ar­ti­cle on what an eaves­drop­per sees when you use an un­se­cured Wi-fi hotspot ( go.mac­ It’s a few years old, but still il­lu­mi­nat­ing.

The United States Com­puter Emer­gency Readi­ness Team also is­sued this warn­ing as part of its KRACK se­cu­rity ad­vi­sory, per Ars Tech­nica ( go.mac­world. com/arte): “The im­pact of ex­ploit­ing these vul­ner­a­bil­i­ties in­cludes de­cryp­tion, packet re­play, TCP con­nec­tion hi­jack­ing, HTTP con­tent in­jec­tion, and oth­ers.” HTTP con­tent in­jec­tion means the at­tacker could sneak code into the web­sites you’re look­ing at to in­fect your PC with ran­somware or mal­ware.

So yeah, it’s bad. Keep your se­cu­rity shields ac­tive, just in case. Pc­world’s guide to the best an­tivirus soft­ware ( go. mac­ can help you se­lect a re­li­able so­lu­tion if needed.


“We are not in a po­si­tion to de­ter­mine if this vul­ner­a­bil­ity has been (or is be­ing) ac­tively ex­ploited in the wild,” Van­hoef says. US-CERT’S ad­vi­sory didn’t in­clude any in­for­ma­tion about whether KRACK is be­ing ex­ploited in the wild, ei­ther.

Now for some some­what set­tling news: Iron Group CTO Alex Hud­son says ( go. mac­ an at­tacker needs to be in range of your Wi-fi net­work to carry out any ne­far­i­ous plans with KRACK. “You’re not sud­denly vul­ner­a­ble to ev­ery­one on the in­ter­net,” he says.

“The im­pact of ex­ploit­ing these vul­ner­a­bil­i­ties in­cludes de­cryp­tion, packet re­play, TCP con­nec­tion hi­jack­ing, HTTP con­tent in­jec­tion, and oth­ers.”


Keep your de­vices up to date! Van­hoef says “im­ple­men­ta­tions can be patched in a back­wards-com­pat­i­ble man­ner.” That means that your de­vice can down­load an up­date that pro­tects against KRACK and still com­mu­ni­cate with un­patched hard­ware while be­ing pro­tected from the se­cu­rity flaw. Given the po­ten­tial reach of

KRACK, patches are com­ing quickly from many ma­jor hard­ware and op­er­at­ing sys­tem ven­dors. Up-to-date Win­dows PCS, for ex­am­ple, are al­ready pro­tected.

Un­til those up­dates ap­pear for other de­vices, con­sumers can still take steps to safe­guard against KRACK. The eas­i­est thing would be to sim­ply use a wired eth­er­net con­nec­tion, or stick to your cel­lu­lar con­nec­tion on a phone. That’s not al­ways pos­si­ble though.

If you need to use a public Wi-fi hotspot—even one that’s pass­word pro­tected—stick to web­sites that use HTTPS en­cryp­tion. Se­cure web­sites are still se­cure even with Wi-fi se­cu­rity bro­ken. The URLS of encrypted web­sites will start with “HTTPS,” while un­se­cured web­sites are pref­aced by “HTTP.” The Elec­tronic Fron­tier Foun­da­tion’s su­perb HTTPS Ev­ery­where browser plug-in ( go.mac­ can force all sites that of­fer HTTPS en­cryp­tion to use that pro­tec­tion. Al­ter­na­tively, you can hop on a vir­tual pri­vate net­work (VPN) to hide all of your net­work traf­fic. Don’t trust ran­dom free VPNS, though—they could be af­ter your data as well. Pc­world’s guide to the best VPN ser­vices ( go.mac­ bvpn) can help you pick out a trust­wor­thy provider. And again, keep your an­tivirus soft­ware ( go.mac­ up to date to pro­tect against po­ten­tial code in­jected mal­ware.

Go­ing for­ward, the Wi-fi Al­liance ( go.mac­ will re­quire test­ing for the KRACK WPA2 vul­ner­a­bil­ity in its global cer­ti­fi­ca­tion lab net­work, so new de­vices will be pro­tected out of the box.


Is my phone at risk?

KRACK is a dif­fer­ent sort of at­tack than pre­vi­ous ex­ploits, in that it doesn’t go af­ter de­vices, it goes af­ter the in­for­ma­tion you use them to send. So while the data stored

on your phone is safe from hack­ing, when­ever you use it to send a credit card num­ber, pass­word, email, or mes­sage over Wi-fi, that data could be stolen.

So my router is vul­ner­a­ble?

That’s closer, but still not to­tally ac­cu­rate. It’s not the de­vice that’s at risk, it’s the in­for­ma­tion, so the sites you visit that aren’t HTTPS are most vul­ner­a­ble.

Oh, so I should change my Wi-fi pass­word then?

Well, you can, but it’s not go­ing to stop the like­li­hood of at­tack. The ex­ploit tar­gets in­for­ma­tion that should have been encrypted by your router, so the at­tacker doesn’t need to crack your pass­word to im­ple­ment it. In fact, it has no bear­ing on the at­tack what­so­ever.

So all de­vices are at risk?

Now you’re get­ting it. How­ever, while any de­vice that sends and re­ceives data over Wi-fi is at risk, the re­searchers who un­cov­ered the at­tack said An­droid de­vices were more at risk than other mo­bile phones.

Great, I have an An­droid phone. But I’m run­ning Nougat so I’m safe, right? Un­for­tu­nately, no. Newer phones run­ning An­droid 6.0 or later are ac­tu­ally more at risk since there is an ex­ist­ing vul­ner­a­bil­ity in the code that com­pounds the is­sue and makes it eas­ier to “in­ter­cept and ma­nip­u­late traf­fic.”

Google ex­pects to have a se­cu­rity patch ready for Novem­ber 6, which should promptly roll out to Pixel and Nexus de­vices. But it could take weeks or even months for An­droid hard­ware mak­ers and cel­lu­lar providers to val­i­date and de­ploy the patch to other phones and tablets. Many de­vices, es­pe­cially older ones, may never re­ceive the up­date.

So are my iphone and Mac safe?

Safer than An­droid, but still not en­tirely safe. Ap­ple said in a state­ment that all cur­rent IOS, macos, watchos, and tvos be­tas in­clude a fix for KRACK. It will be rolling out to all de­vices within a few weeks.

What about Win­dows PCS?

They’re safe if you stayed up­dated. Mi­crosoft re­leased a Win­dows patch ( go. mac­ to pro­tect against KRACK on Oc­to­ber 10, be­fore the vul­ner­a­bil­ity was made public.

I run Linux. I’m im­pen­e­tra­ble to at­tack, right?

Not quite. Re­searchers ac­tu­ally found that Linux ma­chines were the most vul­ner­a­ble desk­top de­vices, with a sim­i­lar bug to the one found in the An­droid code. Now for the good news: An up­stream Linux patch ( go.mac­ is al­ready

avail­able, as are KRACKblock­ing up­dates for Ubuntu ( go.mac­, Gen­too ( go.mac­ gent), Arch ( go.mac­ arch), and De­bian ( go. mac­ dis­tri­bu­tions. A patch is also avail­able for OPENBSD ( go.mac­

I have au­to­matic up­dates turned on. How do I know if my mo­bile de­vice has been up­dated?

The quick­est way is to check the sys­tem’s soft­ware up­dates tab in your Set­tings app to see when the most re­cent ver­sion has been up­dated. More help­fully, Owen Wil­liams is keep­ing a run­ning list of com­pa­nies that have dis­trib­uted patches on his Recharged blog ( go.mac­ rech). It’s a stel­lar re­source.

What about my router?

First, you should check to see if your router has any pend­ing firmware up­dates. Most peo­ple aren’t as vig­i­lant in up­dat­ing their routers as they are with their phones or PCS, so log into your ad­min page and in­stall any wait­ing up­dates. If there aren’t any, it’s a good habit to check back ev­ery day, since com­pa­nies will be rolling out patches over the com­ing weeks, with some al­ready be­ing im­ple­mented.

Net­gear ( go.mac­, In­tel ( go.mac­, Eero ( go.mac­world. com/ero1), and busi­ness-fo­cused net­work­ing providers al­ready have KRACK router patches avail­able. Eero’s is rolling out au­to­mat­i­cally as an over-the-air up­date. The pop­u­lar DD-WRT open router firmware has de­signed a patch ( go. mac­, but it isn’t avail­able to down­load yet. Ex­pect it soon.

So should I turn off Wi-fi?

That’s prob­a­bly not a vi­able op­tion for most peo­ple, but if you’re com­pletely panic-stricken, then the only way to be com­pletely safe is to avoid us­ing Wi-fi un­til you know your router has been patched. ■

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.