KRACK Wi-Fi attack - the rules haven't changed

Don’t panic. Patch.

Krack - the rules haven't changed

Mathy Vanhoef has discovered what may be the biggest vulnerability of the year - a flaw in the WPA2 protocol used to encrypt Wi-Fi communications.

In the wrong hands, an attacker could exploit the vulnerability in WPA2's handshake protocols to intercept sensitive information such as passwords. At risk-devices include those running Android, Apple, Linux, OpenBSD and Windows operating systems.

Vanhoef describes the attack as being "exceptionally devastating against Linux and Android 6.0 or higher."

However, don't panic too much.

Much of the web these days (and an increasing number of apps) are using HTTPS/SSL for encryption, limiting the opportunities for stealing information through the KRACK attack.

Furthermore, an attacker has to be within range of your Wi-Fi network to launch a KRACK attack against it. This isn't something that a hacker on the other side of the world can use to spy on you.

Finally, Wi-Fi hardware vendors were informed responsibly of the KRACK attack from July onwards, long before it was made public - meaning that many have been beavering away developing fixes. Accordingly, there is a long list of advisories from many different vendors that you can peruse at your leisure.

The rules haven't changed - reduce the risk by patching your devices as soon as security updates are released. And, if you have access to a trusted VPN service, use it to add an additional layer of protection!

Oh and a side note. Developers who *hadn't* been properly following the WPA2 specification ironically found that their software *wasn't* vulnerable to exploitation. There's really no justice in the world, is there?

Hear more about KRACK in this episode of the "Smashing Security" podcast:

Subscribe: Apple Podcasts | Google Play | Overcast | Stitcher | RSS for you nerds.
(Visited 2,293 times, 1 visits today)

Tags: , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , ,

4 Responses

  1. tom joad

    October 18, 2017 at 3:26 am #

    Of course, for the millions of us using (non-new Pixel) Android phones, the carriers will NEVER update this massive breach, nor with the political arm of Comcast (the former FCC) will do jack squat to lean on these a-holes. They will all parrot the same advice: BUY NEW HARDWARE, CA-CHING. There Ain't No Justice.

  2. Jim

    October 21, 2017 at 12:24 pm #

    …within range of your Wi-Fi network…., and the range is?

    Reason I ask is that I live in a flat , 7 metres above ground level.

    • P in reply to Jim.

      October 29, 2017 at 1:02 am #

      The Range depends on the sensitivity of the antenna on the attacker's device, but it's at least 300 feet (length of a football field), commonly as far as 600 feet and with the right antenna likely to be much further than that. 7 metres = 22 feet, which is well within the range limit of Bluetooth, let alone WiFi.

      • Jim in reply to P.

        October 29, 2017 at 8:42 am #

        Thanks although wondering how prominent the antenna are?

        Could it be used within a car or would the antenna have to be used in an open area such as a field?

Leave a Reply