KRACK Wi-Fi attack – the rules haven’t changed

Don’t panic. Patch.

Graham Cluley
Graham Cluley
@[email protected]

Krack - the rules haven't changed

Mathy Vanhoef has discovered what may be the biggest vulnerability of the year – a flaw in the WPA2 protocol used to encrypt Wi-Fi communications.

In the wrong hands, an attacker could exploit the vulnerability in WPA2’s handshake protocols to intercept sensitive information such as passwords. At risk-devices include those running Android, Apple, Linux, OpenBSD and Windows operating systems.

Vanhoef describes the attack as being “exceptionally devastating against Linux and Android 6.0 or higher.”

Sign up to our free newsletter.
Security news, advice, and tips.

However, don’t panic too much.

Much of the web these days (and an increasing number of apps) are using HTTPS/SSL for encryption, limiting the opportunities for stealing information through the KRACK attack.

Furthermore, an attacker has to be within range of your Wi-Fi network to launch a KRACK attack against it. This isn’t something that a hacker on the other side of the world can use to spy on you.

Finally, Wi-Fi hardware vendors were informed responsibly of the KRACK attack from July onwards, long before it was made public – meaning that many have been beavering away developing fixes. Accordingly, there is a long list of advisories from many different vendors that you can peruse at your leisure.

The rules haven’t changed – reduce the risk by patching your devices as soon as security updates are released. And, if you have access to a trusted VPN service, use it to add an additional layer of protection!

Oh and a side note. Developers who *hadn’t* been properly following the WPA2 specification ironically found that their software *wasn’t* vulnerable to exploitation. There’s really no justice in the world, is there?

Hear more about KRACK in this episode of the “Smashing Security” podcast:

Smashing Security #048: 'KRACK, North Korea, and an 18th century cyber attack'

Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

4 comments on “KRACK Wi-Fi attack – the rules haven’t changed”

  1. tom joad

    Of course, for the millions of us using (non-new Pixel) Android phones, the carriers will NEVER update this massive breach, nor with the political arm of Comcast (the former FCC) will do jack squat to lean on these a-holes. They will all parrot the same advice: BUY NEW HARDWARE, CA-CHING. There Ain't No Justice.

  2. Jim

    …within range of your Wi-Fi network…., and the range is?

    Reason I ask is that I live in a flat , 7 metres above ground level.

    1. P · in reply to Jim

      The Range depends on the sensitivity of the antenna on the attacker's device, but it's at least 300 feet (length of a football field), commonly as far as 600 feet and with the right antenna likely to be much further than that. 7 metres = 22 feet, which is well within the range limit of Bluetooth, let alone WiFi.

      1. Jim · in reply to P

        Thanks although wondering how prominent the antenna are?

        Could it be used within a car or would the antenna have to be used in an open area such as a field?

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.