KRACK WPA2 Wi-Fi hack, and how to protect yourself

For years we've all depended on the WPA2 protocol to secure our Wi-Fi networks. That all comes to an end today.

Security researcher Mathy Vanhoef has revealed what he has labeled "KRACK," an exploit that attacks a vulnerability in the handshake of the WPA2 protocol that you most likely use to protect your Wi-Fi at home and that millions of small businesses around the world use, too.

Router makers that have patched KRACK WPA2 Wi-Fi flaws

Speaking at the ACM Conference on Computer and Communications Security in Dallas, Vanhoef explained that this exploit may allow packet sniffing, connection hijacking, malware injection, and even decryption of the protocol itself. The vulnerability has been disclosed to the people who need to know these sorts of things early to find a fix and the United States Computer Emergency Readiness Team (US-CERT) has released this prepared statement:

US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol. The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others. Note that as protocol-level issues, most or all correct implementations of the standard will be affected. The CERT/CC and the reporting researcher KU Leuven, will be publicly disclosing these vulnerabilities on 16 October 2017.According to a researcher who has been briefed on the vulnerability, it works by exploiting a four-way handshake that's used to establish a key for encrypting traffic. During the third step, the key can be resent multiple times. When it's resent in certain ways, a cryptographic nonce can be reused in a way that completely undermines the encryption.

Microsoft releases statement on KRACK Wi-Fi vulnerability

How to protect yourself from the KRACK WPA2 hack

Here's what you can (and should) do to stay safe:

  • Avoid public Wi-Fi at all costs. This includes Google's protected Wi-Fi hotspots until Google says otherwise.
  • Only connect to secured services. Web pages that use HTTPS or another secure connection will include HTTPS in the URL. You should contact any company whose services you use and ask if the connection is secured using TLS 1.2, and if so your connection with that service is safe for now.
  • If you have a paid VPN service that you trust you should enable the connection full-time until further notice. Resist the temptation to rush and sign-up for any free VPN service until you can find out if they have been vetted and will keep your data secure.
  • Use a wired network if your router and computer both have a spot to plug in an Ethernet cable. This exploit only affects 802.11 traffic between a Wi-Fi router and a connected device. Ethernet cables are relatively cheap (opens in new tab) and an eyesore strung across the carpet is worth it. Look for a Cat6 or Cat5e spec cable and there should be no configuration needed once plugged in.
  • If you use a Chromebook or MacBook, this USB Ethernet adapter is plug-and-play (opens in new tab).

This hack can't steal your banking information or Google password (or any data on a correctly secured connection that uses end-to-end encryption). While an intruder may be able to capture the data you send and receive, it can't be used or even read by anyone. You can't even read it unless you allow your phone or computer to decrypt and unscramble it first.

An attacker may be able to do things like redirect traffic on a Wi-Fi network or even send bogus data in place of the real thing. This means something harmless like printing a thousand copies of gibberish on a networked printer or something dangerous like sending malware as a reply to a legitimate request for information or a file.

The best way to protect yourself is to not use Wi-Fi at all until you're directed otherwise.

See more

When will KRACK be patched?

Ubiquiti has been said to already have a patch ready to deploy for their equipment, and if this turns out to be true we should see the same from companies like Microsoft, Google and Apple very soon. Other, less security-conscious companies may take longer and many routers will never see a patch. Of course, if this rumor turns out to be false all bets are off.

This is not a case where you should feel immune because your data isn't valuable enough. The majority of attacks using this exploit will be opportunistic. Kids who live in your building, shady characters who drive the neighborhood looking for Wi-Fi access points (APs) and general mischief makers are already scanning Wi-Fi networks around them.

WPA2 has had a long and fruitful life with nary a public exploit until today. Here's hoping the fix, or whatever comes next, can enjoy the same.

I'm an RHCE and Electrical Engineer who loves gadgets of all kinds. You'll find my writings across Mobile Nations and you can hit me on Twitter if you want to say hey.

  • I guess it's time for Microsoft to patch this flaw and other vendors should do the same
  • I am not aware that Microsoft produces routers or any router related software.
  • Microsoft products are responsible for 1/2 of the handshake...
    Unfortunately... you can't patch half a handshake or you will never estabilish a connection
  • This is a client-side attack. The only relevance for the router is if it connects to another access point.
    Since the different vendors were informed in the middle of July (almost at the bottom of the page in the Q&A section), I'd expect a patch for this to be rolled out this week.
    Weird that an article on Windows Central pretends Microsoft does not exist, while mentioning Google and Apple.
  • Where did it mention Google and Apple and not Microsoft?
  • At the time of the comment only Google and Apple were mentioned - seems the article has been updated since.
  • You have to forgive ETX808, he can not read well, Google invest in lots of Public WiFi Hotspots and that is what the article shared. there was no update on the version that I read. (Maybe the author need to re-insert the original section wording, then draw a line through it to show what was there before. " Avoid public Wi-Fi at all costs. This includes Google's protected Wi-Fi hotspots until Google says otherwise."
  • The article was written by an Android Central guy, hence the Google leaning.
  • A follow up article states microsoft already patched the flaw on October 10 but only now announced it because, unlike google, they want to give other companies the chance to patch the vulnerability before they announce it exists. 
  • You should also read the source before commenting. The guy who found the flaw states that the attack targets clients connected to a wifi network. And he clearly states that the fix is enough from the client side(devices connected to wifi networks). So I dont see what routers have to do with this flaw.
  • Did someone check what is written in this article? KU Leuven is not a security researcher, it's an entire university. So my guess is you should look for the name of the researcher that did this recovery and give him/her the credit that is due. It gets even more rediculous at the point where you write that "Leuven explained ..." as Leuven is an entire city.
  • it is Mathy Vanhoef in cooperation with Frank Piessens the paper was named Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2
  • So..... This will hack the WPA2 handshake, but what about MAC based whitelists etc. as a additional failsafe?
    Will this be completely ignored when an attacker is using this hack?
  • Good question, i'll like to know too.
  • These kind of attacks usually needs Linux terminal commands. Such adversaries can scan for connected MACs and simply issue a one line command and spoof their network card MAC with one of your equipments.
  • So the answer is no, you're not safe even when you've whitelisted your WiFi devices :-(
    I hope Huawei will update my phone quickly, but looking at the rate of patches, it will probably be December or never....
  • I went with wired connection to my router for all my full time internet-connected devices over a year ago after the cia exploit revealed....somehow knew this would be surfaced sooner or later...
  • It also means an attacker can then browse resources shared on the network.
  • Microsoft will have a patch out for this later today.
  • What if you don't broadcast your WiFi network? Or if you do, would it be beneficial to not broadcast it? Wouldn't that reduce vulnerability altogether?