UPDATE: Google has patched its own Android phones against KRACK.
UPDATE: Apple has patched iOS against the KRACK attack. More details below.
UPDATE: Some companies have begun to respond to KRACK, issuing patches — or deferring action until later. We've compiled available information for updating routers in a new article.
This story was originally published Oct. 16, 2017.
A severe flaw in the encryption protocols used by nearly all modern Wi-Fi networks could let attackers hijack encrypted traffic, steal passwords and even inject malware into smartphones and laptops.
Dubbed KRACK, or Key Reinstallation Attack, by its discoverer, the flaw affects all widely used platforms: Windows, Mac, iOS, Linux and Android. Android 6.0 Marshmallow and later, and Linux kernel 2.4 and later, are especially hard-hit.
Despite the severity of the flaw, it is rather difficult to implement. The user needs to be within Wi-Fi range of a smartphone or laptop to attack it. The attack does not work over the internet.
What to Do
Users should keep using encrypted Wi-Fi wherever necessary, such as at home and at work. However, you might want to avoid using the Wi-Fi networks, even password-protected ones, in coffeeshops, hotels, airports and other public places for the time being. Use cellular data or a VPN service instead.
Fortunately, many Wi-Fi router and client-device makers have already or are about to issue patches -- a list of vendors that have already issued patches is at https://www.kb.cert.org/vuls/id/228519 (you may need to copy and paste the URL) -- so users should update their routers, smartphones and laptops as soon as possible.
UPDATE Oct. 31: Apple's iOS 11.1 update for iPhones and iPads includes a solution that protects against KRACK attacks. To update, open Settings, tap General, tap Software Update and tap Download and Install.
UPDATE Nov. 8: Google's November Android security update patches the KRACK flaw. Google's own Pixel and late-model Nexus phones will get the update immediately. Other brands' updates will depend on the manufacturer and carrier.
MORE: Best Wi-Fi Routers
The attack is mostly against client devices, including laptops, Wi-Fi enabled desktops, smartphones, tablets and smart-home devices. It's more important that client devices get patched than routers get patched, although patching the routers wouldn't hurt.
There's no need to change your Wi-Fi password: The KRACK attack doesn't require knowing your Wi-Fi password, and doesn't even access it. Rather, the main line of attack involves setting up a rogue network in range of the real one, using the same network name so that some devices connect to the rogue network instead.
KRACK was discovered by Mathy Vanhoef, a postdoctoral researcher at the Catholic University of Leuven in Belgium. He's put up a website detailing the flaw in relatively easy-to-understand terms, as well as a research paper that's not so easy to grasp.
"The attack works against all modern protected Wi-Fi networks," Vanhoef wrote on the "official" Krack attack site. "To prevent the attack, users must update affected products as soon as security updates become available. Note that if your device supports Wi-Fi, it is most likely affected."
The flaw is not in the cryptography underlying WPA2 or its predecessor, WPA. Rather, it's in the implementation.
When communicating with a client device to initiate a Wi-Fi connection, the router sends a one-time cryptographic key to the device. That key is unique to that connection, and that device. In that way, a second device on the same Wi-Fi network shouldn't be able to intercept and read the traffic to and from the first device to the router, even though both devices are signed into the same Wi-Fi network.
The problem is that that one-time key can be transmitted more than one time. To minimize connection problems, the WPA and WPA2 standards let the router transmit the one-time key many times if it does not receive an acknowledgement from the client device that the one-time key was received.
Because of that, an attacker within Wi-Fi range can capture the one-time key, and even force the client device to connect to the attacker's bogus Wi-Fi network. The attacker can retransmit the one-time key, which forces the client device to roll the count of transmitted packets back to zero. The attacker can then compare the encrypted traffic before and after he or she resent the one-time key to find the overall session key and decrypt much of the traffic passing between the client device and the router.
Android 6.0 and later and recent versions of Linux are particularly vulnerable, because the attacker can resend a fake one-time key of all zeroes -- in other words, a blank key. In such cases, the encryption between the router and client device will be completely broken.
The attack will NOT affect traffic between client devices and websites that use proper implementations of HTTPS web encryption. Such traffic will be encrypted on its own, and cannot be read by the attacker.
However, many websites improperly set up HTTPS. Vanhoef demonstrates such an attack by completely breaking the encryption on a connection between and Android device and the British website of Match.com, which did not set up HTTPS properly. Vanhoef manages to steal the user's Match.com password and username.
"Our attack is not limited to recovering login credentials (i.e. e-mail addresses and passwords)," he wrote. "In general, any data or information that the victim transmits can be decrypted. Additionally, depending on the device being used and the network setup, it is also possible to decrypt data sent towards the victim (e.g. the content of a website)."
The silver lining is that WPA2 is NOT fundamentally broken, and that this flaw is relatively easy to fix by eliminating the resending of one-time keys. Vanhoef noted that Windows and iOS are less affected because they do not accept one-time keys that have been sent more than once. However, those platforms are still vulnerable to more creative versions of this attack.
However, it may be difficult to update some older Wi-Fi routers. Thankfully, updating client device should protect against these attacks. Ironically, older Android devices running 5.0 Lollipop or earlier, which are most likely to not receive updates, are less vulnerable than their newer cousins.