Blog
← Back to Blog
October 18, 2017 cybersecurity

KRACK Attack: Your Wi-Fi Encryption Is Broken. Here's What That Means.

Wi-Fi network and wireless security concept

Security researchers disclosed a critical vulnerability in WPA2, the encryption protocol used by virtually every Wi-Fi network in the world. The attack, called KRACK (Key Reinstallation AttaCK), allows an attacker within range of your Wi-Fi network to decrypt traffic, inject content, and potentially access data transmitted over the wireless connection.

Let's break this down without panicking.

What KRACK Does

WPA2 protects your Wi-Fi traffic by encrypting it so that only your device and the access point can read it. KRACK exploits a flaw in the four-way handshake that establishes the encryption key when you connect to a network. By manipulating and replaying the handshake messages, an attacker can force your device to reinstall an already-used encryption key, which breaks the encryption.

This means an attacker within Wi-Fi range could:

  • Read data sent over your Wi-Fi connection
  • Inject malicious content into web pages
  • Steal login credentials sent over unencrypted connections
  • On Android and Linux devices, inject ransomware or other malware into unencrypted downloads

What KRACK Does NOT Do

  • It does not reveal your Wi-Fi password
  • It does not work remotely (the attacker must be within Wi-Fi range)
  • It does not break HTTPS. If you're visiting a website with HTTPS (the padlock in your browser), that encryption layer is separate and still protects your data
  • It does not compromise WPA2 permanently. Software patches fix the vulnerability

What You Need to Do

Update Everything

KRACK is fixed through software updates. The vulnerability is in the client (your computer, phone, tablet), not the access point. Priority updates:

  • Windows: Microsoft patched this in the October 10 security update. If you have automatic updates enabled, you're already protected.
  • iOS: Apple released patches in iOS 11.1 and macOS 10.13.1. Update when available.
  • Android: Google's November security patch addresses KRACK. However, Android device updates depend on your phone manufacturer. This is the weakest link.
  • Linux: Patches are available for most distributions.
  • Access points: While the vulnerability is primarily client-side, update your router and access point firmware as patches become available.

Use HTTPS Everywhere

HTTPS encrypts your web traffic independently of Wi-Fi encryption. Even if KRACK decrypts your Wi-Fi, HTTPS still protects data sent to encrypted websites. Install the "HTTPS Everywhere" browser extension to force HTTPS connections when available.

Use a VPN

If you're on a network you don't fully trust, a VPN encrypts all your traffic regardless of the Wi-Fi encryption status. For staff who work remotely or travel, VPN should be standard.

Segment Your Network

Wi-Fi connected medical devices and IoT equipment may not receive KRACK patches. Keep these devices on a separate network segment so that even if the Wi-Fi encryption is compromised, the attacker can't reach your PMS server or patient data.

Perspective

KRACK is serious but manageable. Unlike WannaCry or NotPetya, which spread automatically across the internet, KRACK requires physical proximity to your Wi-Fi network. The risk for most practices is lower than the headlines suggest, especially if you're patching promptly and using HTTPS.

The takeaway: update your devices, use encrypted connections, and don't rely on any single security layer. Defense in depth isn't just a buzzword. It's the reason KRACK is a nuisance rather than a catastrophe.