Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Alleged 'KRACK Attack' vulnerability threatens to lay bare Wi-Fi WPA-2 security

Last updated

A set of six collegiate researchers are set to unveil details on a Key Reinstallation Attack (KRACK Attack) for WPA-2 Wi-Fi security, which if legitimate can allow attackers to undermine encryption on any wi-fi connection utilizing the security method — including Apple hardware connecting to Airport Extreme and Airport Express routers. AppleInsider explains what it is, and how to cut down on the potential for attack until patches are rolled out.

The exploit, published on Monday, takes advantage of a four-way handshake between a router and a connecting device to establish the encryption key. Properly executed, the third step can be compromised, resulting in the re-use of an encryption key — or in some cases in Android and Linux, the establishment of a null key.

US-CERT, the division of the Department of Homeland Security responsible for computer safety has become aware of "several key management vulnerabilities" used in the attack. The agency has declared that the vulnerability includes lack of proper encryption, content hijacking, HTTP injection, and other problems. In the advisory issued on Monday, US-CERT says that "most or all correct implementations" of WPA-2 are affected by the vulnerability — meaning every consumer device, and most enterprise access points.

The researchers claim that the attack vector completely opens up an Android 6.0 and later device. Other operating systems, including iOS and macOS are less impacted, but "a large number of packets" can still be decrypted from all.

At present, there are no patches for consumer-grade devices, and only a few commercial manufacturers have issued updates. A large percentage of network equipment will likely not see updates — so a properly patched operating system will be essential for users.

The attack uses one or more of 10 different exploits. The details of the exploit were submitted for review on May 19, and a conference presentation will be delivered on Nov. 1.

Fixes can be made by vendors on either the client or router level, and only one of the pair needs to be patched for the vulnerability to be ineffective. A patched computer can connect to an un-patched router and not be vulnerable, and vice-versa. Updates to either will prevent an encryption key from being reused.

How to mitigate the issue until a patch is issued

Most networks in single-family homes are probably safe. However, in apartment buildings and thickly-settled areas, there remains the potential of attack — if the exploit is as easy to implement as the researchers claim it is.

When and if a patch becomes available for your computers, routers, or other Wi-Fi gear — implement it. If you're not on macOS Sierra, macOS High Sierra, or iOS 11, it might be time to get there.

Avoid public Wi-Fi. That will cut down on exposure vectors for most users while patches are being rolled out.

The researchers note that they cannot retrieve data downloaded from a "properly configured HTTPS site" — but a "significant fraction" aren't well set up. Avoid transmitting sensitive data to non-HTTPS sites.

While networks not broadcasting SSID, or network name, can still be sniffed out by the determined, still consider not having a publicly broadcast network name. If somebody is just looking to stir up some trouble, a less visible network is less likely to be attacked than a publicly broadcasting one.

To secure your own home network, ensure that home servers and network attached storage devices all have non-default passwords for file sharing and other services, and use Ethernet whenever possible. Additionally, to prevent an attack on a printer possibly resulting in hundreds of pages of garbage being printed, consider turning off printers when not in use.



29 Comments

gatorguy 14 Years · 24647 comments

Those in large apartment buildings or using public Wi-Fi (bad idea to begin with IMHO) would appear to be most at risk, and bored teens are the ones I'd personally worry about most. Yes turning off Wi-Fi connected printers too when not in use, particularly in a high-density area, sounds like good advice.

The list of affected routers and the current patch status is here:
https://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=228519&SearchOrder=4

4 Likes · 0 Dislikes
linkman 12 Years · 1041 comments


The researchers claim that the attack vector completely opens up an Android 6.0 and later device. Other operating systems, including iOS and macOS are less impacted, but "a large number of packets" can still be decrypted from all.

When and if a patch becomes available for your computers, routers, or other Wi-Fi gear -- implement it. If you're not on macOS Sierra, macOS High Sierra, or iOS 11, it might be time to get there.

It's likely that a huge number of current Android devices will never get patched.

7 Likes · 0 Dislikes
cyberzombie 14 Years · 257 comments

Given the way they work, I imagine VPNs render the attacks useless as well.

1 Like · 0 Dislikes
Mike Wuerthele 9 Years · 6907 comments

linkman said:

The researchers claim that the attack vector completely opens up an Android 6.0 and later device. Other operating systems, including iOS and macOS are less impacted, but "a large number of packets" can still be decrypted from all.

When and if a patch becomes available for your computers, routers, or other Wi-Fi gear -- implement it. If you're not on macOS Sierra, macOS High Sierra, or iOS 11, it might be time to get there.
It's likely that a huge number of current Android devices will never get patched.

And routers. The two combined are bad news. We'll see if the Airport family gets a patch -- but I'm expecting one for macOS and iOS very, very soon.

2 Likes · 0 Dislikes
gatorguy 14 Years · 24647 comments

linkman said:

The researchers claim that the attack vector completely opens up an Android 6.0 and later device. Other operating systems, including iOS and macOS are less impacted, but "a large number of packets" can still be decrypted from all.

When and if a patch becomes available for your computers, routers, or other Wi-Fi gear -- implement it. If you're not on macOS Sierra, macOS High Sierra, or iOS 11, it might be time to get there.
It's likely that a huge number of current Android devices will never get patched.

Oddly enough in this particular case the most affected Android devices are the ones most likely to get patched. Reportedly not much risk, perhaps none at all, in versions older than 6.0. (41% is the estimate of potentially vulnerable Android devices)

Best advice IMHO is stay off public wi-fi anyway, patched or not. Home routers in general are not in much danger according to reporting, except in the very dense metro areas or well-used coffee shops and such where hundreds of people might "see' your wi-fi network.

linkman said:

The researchers claim that the attack vector completely opens up an Android 6.0 and later device. Other operating systems, including iOS and macOS are less impacted, but "a large number of packets" can still be decrypted from all.

When and if a patch becomes available for your computers, routers, or other Wi-Fi gear -- implement it. If you're not on macOS Sierra, macOS High Sierra, or iOS 11, it might be time to get there.
It's likely that a huge number of current Android devices will never get patched.
And routers. The two combined are bad news. We'll see if the Airport family gets a patch -- but I'm expecting one for macOS and iOS very, very soon.

I would think Google Wi-Fi too and surely the Airport family.

Given the way they work, I imagine VPNs render the attacks useless as well.

According to researchers yes they do.