We use cookies on our websites. Information about cookies and how you can object to the use of cookies at any time or end their use can be found in our privacy policy.

KRACK: Your encrypted Wi-Fi isn't secure

KRACK: Your encrypted Wi-Fi isn't secure

Multiple vulnerabilities in the WPA2 security protocol ensure that data transmissions once believed to be secure can actually be decrypted, intercepted and modified. The problem affecting all current WiFi connections is unlikely to be easily resolved because of the variety of different devices involved. Right now only a few specialists are able to exploit this vulnerability, and only at short range.

The WiFi we currently use everyday in commercial routers is not as secure as we once assumed. But this isn't the fault of the router manufacturers themselves. It's actually due to flaws in the WPA2 security protocol used for encryption.

Your WPA2 signal could be decrypted / © ANDROIDPIT

When a device is connected to the WiFi access point, a secret key is negotiated between the two devices via a four-way "handshake" in accordance with WPA2. This ensures that devices in the vicinity can listen to the following data connection, but cannot decrypt it (not without taking a really long time, anyway). But this handshake, as several experts have now found out, is flawed. One of the steps can be repeated as often as desired; attackers can intervene, intercept the key and intercept or even manipulate the connection.

This new kind of hacking attack was called Key Reinstallation Attacks or KRACK. The research behind it has been kept secret for weeks, but has now been published for public viewing at krackattacks.com. It is still unclear how a real-world attack on WPA2 encryption will actually work. If an exploit should be comparatively easy to implement, WiFi networks in general are no longer trustworthy. At various security conferences, some of the researchers will describe the newly discovered attack method in more detail.

AndroidPIT fritzbox 7590 fritz repeater 1750e 1944
You might want to consider using an Ethernet wired connection for your home PC / © AndroidPIT

We can at least expect router manufacturers to release a patch to mitigate this. Until then, security-minded readers should avoid WLANs, use them only over trusted VPN connections or to limit them to HTTPS (watch for that green lock in the URL to confirm it's secure) or Secure Shell connections. You can also use a wired (Ethernet) internet connection for your home PC.

Although computers have multiple ways for the user to make the connection more secure, and most routers should have this vulnerability patched, the majority of smart devices out there using WiFi, such as TVs, might remain unpatched and leave a hole in your security.

Before panicking, it's important to be aware that potential hackers still need physical access (to the actual radio signals), so you aren't vulnerable to everyone in the world, just potential threats in your neighborhood.

We have sent inquiries regarding KRACK to various router manufacturers and will update the article with corresponding statements.


Source: Ars Technica

Recommended articles


Write new comment:
All changes will be saved. No drafts are saved when editing
Write new comment:
All changes will be saved. No drafts are saved when editing

  • The morning news is all over the place as to whether routers, devices or non-HTTPS web sites are the most vulnerable attack vectors. I got Mint (Ubuntu) patches last night. Microsoft also apparently included its Windows Krack patch in last week's "Patch Tuesday" cumulative update, but held off announcing it to comply with the industry agreement on the disclosure date. Apple is no doubt all over this.

    This is where Android's business model, that is going to completely fail to provide a huge number of end users with protection is unforgiveable. Even if a home router is patched by OEMs or ISPs, Android users will be exposed at any number of wifi hotspots where they ought to be protected by Android. I'd appreciate some reporting on whether a) third party security products are going to be of any use against Krack, and b) whether a third party VPN would secure the many millions of unpatched Android devices that will, in fact, never be patched by Google, a device manufacturer or telco service provider (who are all standing there stupid, with fingers pointing to each other).

    • Hey Albin. While opinion here in the office is divided over how realistic a threat this is, all of us want to have some effective protection and we're gathering information on what security will be available, especially for Android users. We'll share our findings with everyone once we have a clearer picture.