KRACK, the WPA2 exploit that kills Wi-Fi security, and what you need to know right now

Apple AirPort Extreme Time Capsule
Apple AirPort Extreme Time Capsule (Image credit: Rene Ritchie / iMore)

For years we've all depended on the WPA2 (Wi-Fi Protected Access) protocol to secure our Wi-Fi networks. That all comes to an end today.

Security researcher Mathy Vanhoef has revealed what he has labeled KRACK; an exploit that attacks a vulnerability in the handshake of the WPA2 protocol that you most likely use to protect your Wi-Fi at home and millions of small businesses around the world use, too.

Update: iOS 11.2 fixes the KRACK exploit (opens in new tab) on the following older iOS devices: iPhone 6s, iPhone 6s Plus, iPhone 6, iPhone 6 Plus, iPhone SE, iPhone 5s, 12.9-inch iPad Pro 1st generation, iPad Air 2, iPad Air, iPad 5th generation, iPad mini 4, iPad mini 3, iPad mini 2, and iPod touch 6th generation.

Speaking at the ACM Conference on Computer and Communications Security in Dallas, Vanhoef explained that this exploit may allow packet sniffing, connection hijacking, malware injection, and even decryption of the protocol itself. The vulnerability has been disclosed to the people who need to know these sorts of things early to find a fix and US-CERT (United States Computer Emergency Readiness Team) has released this prepared bulletin:

US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol. The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others. Note that as protocol-level issues, most or all correct implementations of the standard will be affected. The CERT/CC and the reporting researcher KU Leuven, will be publicly disclosing these vulnerabilities on 16 October 2017.

According to a researcher who has been briefed on the vulnerability, it works by exploiting a four-way handshake that's used to establish a key for encrypting traffic. During the third step, the key can be resent multiple times. When it's resent in certain ways, a cryptographic nonce can be reused in a way that completely undermines the encryption.

How do I stay safe?

To be honest, for the next couple of days there aren't a ton of public options available to you. We're not going to tell you how it works or where to find more information on how exactly the attack works. But we can tell you what you can (and should do) to stay as safe as possible.

  • Avoid public Wi-Fi at all costs. This includes Google's protected Wi-Fi hotspots until Google says otherwise. If your carrier forces your phone to Wi-Fi when in range, visit the forum for your phone to see if there's a workaround to stop it from happening.
  • Only connect to secured services. Web pages that use HTTPS or another secure connection will include HTTPS in the URL. You should contact any company whose services you use and ask if the connection is secured using TLS 1.2, and if so your connection with that service is safe for now.
  • If you have a paid VPN service that you trust you should enable the connection full-time until further notice. Resist the temptation to rush and sign-up for any free VPN service until you can find out if they have been vetted and will keep your data secure. Most don't.
  • Use a wired network if your router and computer both have a spot to plug in an Ethernet cable. This exploit only affects 802.11 traffic between a Wi-Fi router and a connected device. Ethernet cables are relatively cheap (opens in new tab) and an eyesore strung across the carpet is worth it. Look for a Cat6 or Cat5e spec cable and there should be no configuration needed once plugged in.
  • If you use a Chromebook or MacBook, this USB Ethernet adapter is plug-and-play (opens in new tab).
  • Relax.

What could happen if I am on an attacked network?

This hack can't steal your banking information or Google password (or any data on a correctly secured connection that uses end-to-end encryption). While an intruder may be able to capture the data you send and receive, it can't be used or even read by anyone. You can't even read it unless you allow your phone or computer to decrypt and unscramble it first.

An attacker may be able to do things like redirect traffic on a Wi-Fi network or even send bogus data in place of the real thing. This means something harmless like printing a thousand copies of gibberish on a networked printer or something dangerous like sending malware as a reply to a legitimate request for information or a file. The best way to protect yourself is to not use Wi-Fi at all until you're directed otherwise.

See more

Update: Several vendors have released a patch for testing that fixes the exploit. This means the sky is not falling, and we should start seeing updates from other companies, like Apple, very soon.

Ubiquiti has been said to already have a patch ready to deploy for their equipment, and if this turns out to be true we should see the same from companies like Google or Apple very soon. Other, less security-conscious companies may take longer and many routers will never see a patch. Some companies who make routers are much like some companies who make Android phones: any desire to support the product stops when your money reaches their bank. Of course, if this rumor turns out to be false all bets are off.

Does this really matter?

This is not a case where you should feel immune because your data isn't valuable enough. The majority of attacks using this exploit will be opportunistic. Kids who live in your building, shady characters who drive the neighborhood looking for Wi-Fi APs and general mischief makers are already scanning Wi-Fi networks around them.

WPA2 has had a long and fruitful life with nary a public exploit until today. Here's hoping the fix, or what comes next, can enjoy the same. Stay safe!

Jerry Hildenbrand

I'm an RHCE and Electrical Engineer who loves gadgets of all kinds. You'll find my writings across Mobile Nations and you can hit me on Twitter if you want to say hey.

  • Would hiding your network’s SSID help at all?
  • Not really. Any tool that is going to crack this, will also show hidden SSID's. Hidden SSID's don't really do much apart from hiding it from plain view, but anyone who is going to crack in will also see this.
  • I wonder if Tomato will update their firmware for this? I also have an older build of DD-WRT running on a 2nd box that is out of date but the newer builds won't support the older model. I live out in the woods any way.
  • Wondering if defining MAC address access to the WiFi will do any good.
  • No. Defining MAC addresses is useless. Source:
  • A list of recommended VPNs or a recommended article listing VPNs would be excellent. Yes, I read Anthony's "What to look for when choosing a VPN provider" ( ), but that's not offering a list. A good VPN is good, but a bad VPN could do some very bad things.
  • Lots of hysteria and misinformation about this. First, home wifi routers are not affected at all UNLESS you have one configured as a bridge to another router. So if you are sharing wifi with your neighbor, for example, then the router acting as the bridge is vulnerable. Normal routers used only as routers are not affected. Windows is already patched, but we all know people who don't stay up to date on Windows. Apple stuff will be patched shortly. Google will be patching this soon, but who knows when it will trickle down to all Android devices. Linux is already patched. The point is, patch your devices as soon as possible. Don't worry about your home wifi, unless it is using a bridge router somewhere.
  • It is very easy to do a web search for KRACK and KU LEUVEN to obtain the research paper. It is important to know more about the exploit for preventative purposes. I don't know why iMore thinks purposefully withholding information is going to be good for anyone.