X

KRACK in Wi-Fi security: Everything you need to know

A weakness in Wi-Fi-connected devices could expose you to nearby hackers. Here are answers to your questions about that.

Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
5 min read
security-privacy-hackers-locks-key-6778
James Martin/CNET

Wi-Fi is everywhere, and you're on it all the time. Get your guard up.

A newly revealed Wi-Fi weak spot puts just about every device at risk, from your work computer to the phone in your hand and the laptop you tote to the coffee shop.

What's especially frustrating is that the attack, called KRACK, could slip in through a vulnerability in a fundamental security protocol.

Here's a rundown on all the key information.

Watch this: Wi-Fi has a big security flaw - and you need to act now

What happened?

A researcher in Belgium named Mathy Vanhoef stumbled across a problem in the code behind WPA2, a protocol that makes wireless connections work in practically every device. The flaw means that all devices are vulnerable to hackers who want to pick up on all the internet traffic flowing in and out of laptops, phones, smart home devices and anything else with a Wi-Fi connection.

Why the name KRACK?

It's short for "Key Reinstallation Attack." It refers to the trick Vanhoef found could be used to open up your internet traffic to hackers, which forces a device to repeat sensitive information to identify itself before it can establish an internet connection. 

Is it as bad as it sounds?

The good news is a hacker has to be nearby to carry out an attack that takes advantage of this problem. The bad news is the attack could be carried out on virtually anything nearby with a Wi-Fi connection. Your devices are likely vulnerable.

Do attackers need to have physical or local access to your network, or can they do so remotely?

Hackers must be near your device to use this attack. This significantly cuts back on the breadth of attack a single hacker can carry out at once. However, the weakness is currently so pervasive that Vanhoef said everyone should assume all their devices are affected and vulnerable.

What's the best way to protect myself?

The most important thing you can do is update your devices as patches become available. Next, you'll want to consider patching your router firmware if the manufacturer doesn't update it for you automatically. Here's a more thorough list of steps to take to secure yourself, and here, from our colleagues at ZDNet, is list of every patch that's been released so far.

Can't I just change my Wi-Fi password?

You can change your passwords as an extra protective measure -- but this is the least important step. Even though your instinct might be to change your passwords right away, it won't block out hackers who know how to use KRACK.

When will companies start patching?

Windows customers are already protected if they installed software updates released last Tuesday. Apple said it's finalizing patches for iOS, MacOS, WatchOS and TVOS that will be available in the next few weeks. Google said it's aware of the problem and will be releasing any patches necessary in the coming weeks. Amazon is also looking into what patches are needed. Router manufacturers Linksys and Netgear both said they're aware of the problem; Netgear has begun putting out patches. 

Samsung products are at risk, and the company hasn't responded to requests for comment on when updates will be available.

We're keeping a running list of how companies are responding to KRACK here for you to follow along.

Should I just get a new router?

Not yet. If you have an old router and don't think the manufacturer is going to patch it, you should plan to get a new router down the line. The Wi-Fi alliance announced it will require manufacturers to verify that new routers are no longer vulnerable to KRACK, but the routers on the shelves today haven't been checked. It's most important to update your phones, computers, and other devices that use Wi-Fi to connect to the internet.

Can other people's unpatched devices make me unsafe?

Even if you patch your Android phone and your home router, you could be vulnerable if you connect your phone to another unpatched router. On the plus side, Vanhoef found that routers are harder to attack than phones and other devices. For the time being, the safest thing to do is to avoid using Wi-Fi on your phone if at all possible.

What about public Wi-Fi?

Public Wi-Fi was never safe. Often the data going over your typical coffee shop wireless network is completely unencrypted, meaning hackers could use a cheap device to pick up your internet traffic and read a lot of it. What KRACK can do is make any Wi-Fi network as unsafe as a public Wi-Fi network.

Does turning off phone Wi-Fi protect you, or are the cellular networks vulnerable?

Cellular networks are not affected by KRACK, so turning off Wi-Fi does protect you from the attack. On Android devices, it's pretty straightforward to turn off your Wi-Fi. On an iPhone or iPad that runs iOS 11, you'll have to go to Settings to do so. Turning off Wi-Fi from the control center (that little panel of buttons that appears when you swipe up from the bottom of your screen) doesn't turn it all the way off.

Is HTTPS at risk?

Many websites -- the ones that start with HTTPS -- put an extra layer of encryption on your internet traffic to keep it scrambled as it travels to its destination. The KRACK attack doesn't break this encryption, so the scrambling could help secure your data. However, Vanhoef said, HTTPS alone might not be enough to protect your data if a hacker uses KRACK to read your internet traffic, considering the number of times hackers have found ways to break the encryption.

Can I use a VPN to protect myself?

Yes. A virtual private network, or VPN, encrypts all the data flowing from your device across the internet. It's an extra service that most people use when they need to connect to a workplace computer network when they're not in the office. It creates a safe tunnel for all your data to pass through that eavesdroppers can't spy on. However, not all VPNs are created equal and you should take care to pick out one that fits your needs. 

Originally published Oct. 16 at 10:44 a.m. PT.
Update at 12:38 p.m.: Adds more background on the nature of KRACK, as well as information on patches from device makers.
Update at 2 p.m.: Adds information on general Wi-Fi and router security.

Security:  Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.

CNET Magazine: Check out a sample of the stories in CNET's newsstand edition.