October 19, 2017

Keep Your Wi-Fi off KRACK

Up-to-date software, apps, browsers and router software offer the best protection against a potential flaw in wi-fi security called a key reinstallation attack, or KRACK.

By Larry Greenemeier

Illustration of a Bohr atom model spinning around the words Science Quickly with various science and medicine related icons around the text

SUBSCRIBE TO Science Quickly

Apple | Spotify | YouTube | RSS

Join Our Community of Science Lovers!

It seems every week we find out that someone broke into a big company’s databases—like the recent Equifax data breach—and made off with millions of credit card numbers, passwords and other valuable info. And now a new kind of worry: someone could hijack your wireless home network and steal your info from under your nose.

That’s the possibility raised by a couple of cybersecurity researchers from the Catholic University of Leuven in Belgium. The problem, they say, is a flaw in the very protocol meant to make wi-fi secure. That protocol is called Wi-Fi Protected Access II, WPA2. And WPA2’s weakness could allow an attacker within physical range of your wi-fi network to make a copy of that network that they could then control. The researchers call their approach a

key reinstallation attack, or KRACK.

On supporting science journalism

If you're enjoying this article, consider supporting our award-winning journalism by subscribing. By purchasing a subscription you are helping to ensure the future of impactful stories about the discoveries and ideas shaping our world today.

It’s important to know that a KRACK attack remains a hypothetical for now. The scientists realized the threat while investigating wireless security. They’ll present this research on November 1^st at the Computer and Communications Security (CCS) conference in Dallas and in December at the Black Hat Europe conference in London.

In their KRACK scenario, wireless devices would be fooled into connecting to the bogus network. And the attacker would be able to access all of the info that devices send and receive while connected to that network—even if that info has been encrypted. Android and Linux would be especially vulnerable because of how their encryption keys are configured.

One measure of protection against such an attack would be to make sure they you’ve installed the most up-to-date versions of your apps, browsers and wireless router software. Updated software is most likely to include the security patches needed to avoid falling victim to a KRACK attack. Because chances are that KRACK won’t remain simply a proof-of-concept for long.

—Larry Greenemeier

[The above text is a transcript of this podcast.]

It’s Time to Stand Up for Science

If you enjoyed this article, I’d like to ask for your support. Scientific American has served as an advocate for science and industry for 180 years, and right now may be the most critical moment in that two-century history.

I’ve been a Scientific American subscriber since I was 12 years old, and it helped shape the way I look at the world. SciAm always educates and delights me, and inspires a sense of awe for our vast, beautiful universe. I hope it does that for you, too.

If you subscribe to Scientific American, you help ensure that our coverage is centered on meaningful research and discovery; that we have the resources to report on the decisions that threaten labs across the U.S.; and that we support both budding and working scientists at a time when the value of science itself too often goes unrecognized.

In return, you get essential news, captivating podcasts, brilliant infographics, can't-miss newsletters, must-watch videos, challenging games, and the science world's best writing and reporting. You can even gift someone a subscription.

There has never been a more important time for us to stand up and show why science matters. I hope you’ll support us in that mission.

Thank you,

David M. Ewalt, Editor in Chief, Scientific American