KRACK: Wi-Fi security flaw affects virtually all devices - Here's what to do

A new method of attack known as KRACK allows hackers to intercept and manipulate Wi-Fi data traffic. We explain how you can protect yourself.

KRACK betrifft praktisch alle WLAN-fähigen Geräte.

Björn GreifEditor

The security researcher Mathy Vanhoef has discovered critical flaws in the WPA2 security standard which is used virtually everywhere to encrypt WLAN connections. A method of attack known as KRACK (Key Reinstallation Attack) works on virtually all Wi-Fi-enabled client devices. It allows attackers to intercept and manipulate data packets sent or received via a Wi-Fi network secured through WPA2, allowing hackers to access data such as your passwords, account details, messages or emails.

Devices with Android or Linux operating systems are particularly susceptible, according to Vanhoef. Windows and Apple devices are only partially affected because they do not allow flaws to be fully exploited. In order to carry out an attack, hackers must be in the same Wi-Fi network as the user. You should therefore be sure to avoid public Wi-Fi hotspots, such as those at airports as well as in public areas, cafés or hotels. Wired or mobile Internet connections are not affected by KRACK and are still considered secure.

Wi-Fi Protected Access 2 (or WPA2) is used by virtually every Wi-Fi-enabled device to encrypt the Wi-Fi connection, making KRACK particularly significant. However, client devices connected to the Wi-Fi are more vulnerable to the attack than access points or routers.

Flaw can be patched via software update

The WPA2 security flaw is the result of design errors in the IEEE standard 802.11 on which it is based. The problem lies in the way a client device authenticates itself at a Wi-Fi access point. The four-stage process is known as the four-way handshake , which generates and compares a number of security keys. Details of this are available on on which Vanhoef has also published a proof of concept video for KRACK.

Luckily, the security flaw can be patched through a software update with reverse compatibility. Until a patch becomes available for your device, you should, as a precaution, refrain from carrying out online banking, online shopping or transferring other confidential data via Wi-Fi.

What you should bear in mind

  • Continue to use WPA2 encryption
    The successor to WPA and WEP remains the most secure encryption option available for wireless networks. You should therefore not deactivate WPA2.
  • Always keep your devices up-to-date
    Regularly check whether the latest security updates are installed on your computer, smartphone or router. Device manufacturers such as Microsoft, Apple, Google, Samsung und Intel have already released or announced patches, which you should install as soon as they become available. The Fritzbox provider AVM will provide updates “if necessary”. Linux– and Unix-based systems have already been updated. These include FreeBSD, OpenBSD, Debian and Ubuntu.
  • Use a VPN service
    By using a virtual private network (VPN), you can prevent third parties from intercepting your data traffic via KRACK or other methods of attack. A VPN service sets up a tunnel via which data are transmitted in encrypted form. However, the relevant VPN provider can track all browsing history in the same way an Internet provider can with a regular connection.
  • Use HTTPS
    Ensure that you only enter confidential data when using an encrypted browser connection. This is indicated by https:// before the web address. The Cliqz Browser establishes encrypted connections to websites as a standard practice wherever a site operator provides this option. KRACK cannot hack this encryption directly. That said, Vanhoef points out that HTTPS alone may not offer adequate protection if a hacker intercepts the entire data traffic.
  • Changing your Wi-Fi password will not help
    Using the most secure password possible is never a bad idea. But when it comes to KRACK, even the most secure Wi-Fi password will not help because the attack completely circumvents the password query procedure.

The US-CERT (United States Computer Emergency Readiness Team) maintains a list of all affected providers and the current patch status. A slightly clearer list can be found at Charged.