Key Reinstallation Attack (KRACK) is a WPA security vulnerability. WPA2 is a protocol that makes wireless connections work with practically every device. Serious weaknesses have been discovered in WPA2. The flaw means that all devices are vulnerable to hackers who want to pick up on all the Internet traffic flowing in and out of laptops, cell phones, smart home devices, and anything else with a WiFi connection.
Hackers must be near your device to use this attack. This significantly cuts back on the scale of attack a single hacker can carry out at once. The bad news is that the attack can be carried out on virtually anything nearby with a WiFi connection, making most devices vulnerable.
Also, WPA2 with only AES is vulnerable. The attack works against both WPA1 and WPA2, personal and enterprise networks, and against any cipher suite being used (WPA-TKIP, AES-CCMP, and GCMP). Everyone should update their devices to prevent the attack.
WiFi Passwords
Changing the password of your WiFi network does not prevent or mitigate the attack. Instead, perform the following actions.
- Make sure your router's firmware and all of your devices are updated.
- After updating both your client devices and your router, it is never a bad idea to change the WiFi password. For more information, see Internet Gateway SSID, Username, and Password Approved Characters.
Protecting Yourself
The most important thing you can do is update your devices as patches become available. Next, you'll want to consider patching your router firmware if the manufacturer doesn't update it for you automatically. See CNet KRACK Wi-Fi Bug: Here's How to Protect Yourself for a thorough list of steps to take to secure your network and ZDNet Here's Every Patch For KRACK for additional information on current patches.
Note: Even if you patch your Android phone and your home router, you could be vulnerable if you connect your phone to another unpatched router. For the time being, the safest thing to do is to avoid using WiFi on your phone if possible. Cellular networks are not affected by KRACK, so turning off WiFi protects you from the attack.
The main attack is against the four-way handshake and does not exploit access points; instead, it targets clients. We strongly advise you to contact your router's manufacturer for more details to understand if your router needs to be updated. In general, you can try to mitigate attacks against routers and access points by disabling client functionality (which is used in repeater modes, for example) and disabling 802.11r. For ordinary home users, your priority should be updating clients, such as laptops and smartphones.
Using a Virtual Private Network, or VPN, encrypts all data flowing from your device across the internet. It's an extra service that most people use when they need to connect to a workplace computer network when they're not in the office. It creates a safe tunnel for your data to pass through that eavesdroppers can't spy on.
Many websites that start with https put an extra layer of encryption on your internet traffic to keep it scrambled as it travels to its destination. The KRACK attack does not break this encryption, so the scrambling can help secure your data.
Public WiFi
The data often moving through your typical coffee shop's wireless network is completely unencrypted, meaning hackers can easily infiltrate the network to pick up your Internet traffic and read it. What KRACK can do is make any WiFi network as unsafe as a public WiFi network.
New Equipment
If you have an old router and don't think the manufacturer is going to patch it, it is advisable that you get a new router later after the patch has been implemented. The Wi-Fi Alliance® announced it will require manufacturers to verify that new routers are no longer vulnerable to KRACK; see Wi-Fi Alliance® Security Update for more details. However, the routers on the shelves today haven't been checked. You will need to update your phones, computers, and other devices that use WiFi to connect to the Internet.
Note: Cox-issued routers have firmware updates automatically pushed to them. We are working with our vendors and currently do not have a date for when the updates will be pushed. These types of updates can typically take several months.
