The KRACK WiFi vulnerability, how to protect yourself

A recent reveal of a serious security flaw in WPA2 protocol shows how vulnerable the latter is allowing attackers within range of a device or access point to intercept passwords, email messages, and other data that is supposed to be encrypted. Sometimes the attackers can even infuse ransomware or other malware into a website a user is visiting.

What is KRACK and how it works


KRACK (or Key Reinstallation Attacks) is an exploit that affects the core WPA2 protocol itself and can be used against Android, Linux, and OpenBSD devices; a little bit less effective against macOS and Windows, as well as MediaTek Linksys, as well as some other devices. The site with research results noted that attackers can use the exploit to decrypt multiple types of sensitive data that is usually considered safe as it is encrypted with Wi-Fi encryption protocol.

KRACK exploits a four-way handshake that's normally executed when a user connects to a WPA2-protected Wi-Fi network. Handshake is executed to confirm that both a user and an access point bear the correct credentials. What KRACK does is it tricks the vulnerable client into reinstalling a key that is already in use, forcing the reset of packet numbers with valuable parameters. This way the cryptographic nonce is reused to allow the encryption to be bypassed.

There is more insight on KRACK in the article by Sean Gallagher, and Dan Goodin, Ars Technica.

The biggest threat KRACK poses is to large corporate and governmental Wi-Fi networks, especially if they accept connections from Linux and Android devices. The hackers should be within the attacked Wi-Fi range in order to carry out the attack, they probably wouldn't bother much with home Wi-Fi networks, plus there are easier ways to attack small home Wi-Fi, again, especially if they connect with Linux or Android devices.

How to protect yourself from the KRACK attack


1. Avoid public WiFi

Public Wi-Fi is an easier target for hackers, and public networks are not that well-protected to start with. To stay on the safe side, both public and office networks need to update their systems, and still a good idea would be to stay away from public networks until the issue is resolved.

2. Use wired connections

If you feel like the access points you are using may be vulnerable, try to use wired connection for some time.

3. Use reliable WEB protocols

If you don't have a possibility to use a wired connection, make sure you are using HTTPS, STARTTLS, Secure Shell, or another reliable protocol.

4. Use VPN for extra encryption

Consider adding an extra layer of security with a VPN service. Make sure to choose a reputable VPN provider that you can trust though.

5. Consider cellular

If you have a good cellular data package with enough speed, try using it when possible, especially instead of some public connections. While there can still be issues with this solution, especially on Android 6.0 and later, it is a better way to connect and stay protected from hackers.

6. Patch your devices

Most of tech hardware and software vendors reacted to this breach fast and are providing patches for devices. Don't put off patching your phones, laptops, Wi-Fi base stations, and other gear. Patch asap if you have an iPhone, Mac, or Windows computer. If you have an Android device - an update is soon to come. Some of the Wi-Fi access points also have patches available, so be sure to check for one. Many routers don't update automatically, so go ahead and see if yours can be updated right now.

Have more questions? Submit a request.

Windows version is here!

NetSpot is an easy-to-use wireless network detector for in-depth surveying of WiFi networks around you.
Get the free WiFi scanner app

Next in All about Wi-Fi


Other Articles

Start now with NetSpot
Runs on a MacBook (macOS 10.10+) or any laptop (Windows 7/8/10)
with a standard 802.11a/b/g/n/ac wireless network adapter.