Today’s guide seeks to illustrate the dangers of the KRACK Wi-Fi vulnerability, and how to protect yourself from it. You’ll learn the basics of how KRACK works, plus measures you can take within minutes to shore up the security of your local wireless network. We’ll even run you through encrypting your data with a VPN to round out your defenses.
Another day, another danger. That seems to be the way the internet works these days. The KRACK vulnerability was unveiled to the public in October 2017, showing a surprisingly easy method hackers can employ to break into Wi-Fi connections without a password. This means any device using wireless internet is vulnerable to a new kind of attack–one that’s baked into Wi-Fi security itself.
If you’re worried about your router security, install one of these high-security VPNs to rest easier:
- NordVPN – Best Router VPN – NordVPN installs easily onto any router, bringing with it a litany of advanced privacy features and failsafes that enable you to lock down your cybersecurity. It won’t single-handedly solve the KRACK vulnerability, but it’ll address almost everything else.
- Surfshark – A new VPN with unlimited simultaneous connections and smart automatic countermeasures against site blocks.
- ExpressVPN – Overall the fastest VPN on a given day, made even faster with the recent rollout of their Lightway encryption protocol.
- IPVanish – The classic choice for installation onto devices with weak processors, thanks to a lean-but-mean app design.
- VyprVPN – Need advanced tunneling? Rely on the Chameleon protocol to get you through–even in China.
Fortunately, there are some fixes that can help protect you from KRACK. Read on to see what the attack does and find out what you can do to stay safe.
Wi-Fi Security – Just the Basics
It wouldn’t be much of an exaggeration to say Wi-Fi has changed the world. Internet access is great and all, but can you imagine having to plug your phone into the wall in order to check your e-mail? Wi-Fi lets devices connect to the internet without cables, allowing an entire generation to grow up with internet access floating in the air. What’s more, the technology has begun to give rise to the Internet of Things, in which even the most mundane appliances like a refrigerator, thermostat, light switch have constant access to the internet for enhanced functionality. Truly, revolutionary.
The downside to broadcasting connections is that any device can log onto an open network. To combat this, security protocols were developed that force machines to pass a cryptography-based certification before they can connect. Wired Equivalent Privacy (WEP) was first out the door, but serious vulnerabilities made it obsolete pretty fast. Wi-Fi Protected Access (WPA) was developed as a response, followed by Wi-Fi Protected Access II (WPA2).
You’ll no doubt be familiar with these abbreviations from connecting your own devices to wireless networks. For the average end-user there’s very little difference between WEP, WPA, and WPA2. In practice, they simply force you to enter a password before you can connect. Once you dig deeper into the inner workings of WEP and WPA, however, you discover there are some exploitable vulnerabilities that make the protocols less than perfect.
How KRACK Attacks Your Wi-Fi
KRACK, which stands for Key Reinstallation Attack, was first discovered by Belgian researchers in 2016. A detailed analysis was published in October 2017, which sent software companies scrambling to create patches to fix the weakness. The inherent vulnerability still exists, however, and that could be problematic.
KRACK exploits a fundamental flaw in Wi-Fi Protected Access II (WPA2) to gain access to any secured network. It does this by targeting the handshake process used to verify connecting devices with the router. Let’s say you want to connect a phone to your home network. In order to verify both the phone and the router are the devices they claim to be, a four-way handshake takes place. During this process cryptography keys are swapped back and forth a few times. Assuming you entered the correct WPA2 password and assuming the checks pass, the handshakes will clear and your phone can connect.
To gain access to the network, KRACK re-sends the third handshake key multiple times. This causes the WPA2 protocol on the router to re-encrypt the keys. WPA2 isn’t programmed to use different encryption when it sends out the keys again, however, which allows a device running KRACK to work backwards, compare the data, and uncover parts of the keychain used to encrypt the handshakes. In practice, this means KRACK can figure out how any router secures its network, allowing it to log in without a password and rendering WPA2 almost pointless.
RELATED READING: Are VPN Routers Right for You?
What Can KRACK Do to Me?
With access to any secured network, KRACK hackers will have a lot of power. Not only will they be able to view packets sent by devices connected to the same router, they’ll also be able to inject and manipulate data, effectively giving them an all-access pass to view and control your online activities. The consequences of this are chilling to say the least. Below are a few of the more eye-opening things KRACK can do to Wi-Fi and your connected device.
- Forge packet data and send it to the client, allowing hackers to easily spoof websites.
- Control access to the Wi-Fi network to prevent new users from connecting.
- Read information encrypted by the network as if it were unencrypted.
- Steal social security numbers, credit card numbers, passwords, e-mails, etc.
- Gain access to any secure website you log into.
How to Protect Yourself from KRACK
KRACK weaknesses are in the Wi-Fi protocol itself, not the software or device you own. This means almost every piece of internet connected hardware can be affected by KRACK, including smartphones, gaming consoles, and streaming devices. KRACK is also effective against both WPA1 and WPA2 protocols, and changing your Wi-Fi password won’t offer any protection. Pretty scary, isn’t it? The good news is there are several things you can do to stay safe until WPA is updated to fix the vulnerability at its core.
Update Your Device
In lieu of overhauling WPA itself, software developers are releasing patches to provide OS-level protection against KRACK. The most vulnerable clients include Android devices and anyone running Linux, though Windows, Mac, ChromeOS, and iOS users aren’t safe, either. If you don’t have automatic updates enabled, it’s a good idea to manually check to make sure you’re safe. Instructions for major operating systems are below.
- Android – Settings > About device > Software update > Check for updates
- iOS – Settings > General > Software Update > Download and install
- Mac – Open the App Store and click “Updates”
- Windows 10 – Press the Windows key, type “Check for Updates”, then click the updates button.
Update Your Router
Software fixes are crucial for KRACK protection, but don’t forget about your router. Firmware updates can stop hackers before they gain access to the network, protecting every device that connects from your home. Updating firmware should be automatic for most users, but in case it isn’t, you should manually check to make sure you’re up to date. The process is pretty straightforward but can vary from device to device. If the instructions below won’t work, look through your router manufacturer’s support page for a detailed guide.
- Type your router’s address into a browser window. If you’re not sure what the address is, look at the sticker on the bottom of your router. It should be something like this: 192.168.0.1
- Enter your admin login details to gain access to your router.
- Check for a settings page or a firmware update link in the menu.
- Download and install any updates immediately.
- Your router will reboot once the installation is complete.
Disable Wi-Fi and Use a Wired Connection
If your home computer or internet-enabled device has a slot for an Ethernet cable, use it. Most laptops and gaming consoles support both Wi-Fi and wired connections, which means you can bypass many KRACK vulnerabilities by simply plugging in a cord. Unfortunately, you’ll have to disable your router’s Wi-Fi broadcast to make sure a KRACK user can’t gain access, which can be a massive inconvenience.
Encrypt Data Before It Leaves Your Device
Most KRACK attacks fall into the “man-in-the-middle” category. This means someone is sitting between you and the internet, watching each packet pass through the router and feeding back false information. Good man-in-the-middle attacks are completely invisible to the end-user, meaning you’ll never know that the Facebook page you’re logging into is fake. Staying safe from these attacks is tough, but there are some precautions you can take, such as encrypting information before it’s transmitted across the network.
HTTPS Everywhere is a good first line of defense. The browser extension forces websites and your browser to use the HTTPS protocol, which encrypts sensitive information. It’s made by the Electronic Frontier Foundation, an organization set up to protect user privacy in the digital age, and should be a permanent addition to your plug-ins arsenal.
Use a VPN to Protect Against KRACK
Common sense is the best protection against KRACK attacks, but you can also add a layer of security by encrypting data on your device before sending it through the internet. The easiest way to do this is to run a VPN every time you connect to a Wi-Fi hotspot, even at home. VPNs won’t singlehandedly defeat KRACK attacks, but they do provide added encryption any hacker would have to break before gaining access to your data.
Choosing the right VPN doesn’t have to be a complicated affair. We’ve provided a few recommendations below, all chosen based on the following criteria. Each one will help keep you safe from KRACK attacks, give you access to geo-restricted content, and make sure you stay anonymous and secure online.
- Fast downloads – VPNs are slower than regular internet connections, which means you’ll need a service that puts a high priority on compensating for that speed loss.
- Large server network – More servers means more options for fast, low-latency connections around the world.
- No bandwidth restrictions – Unlimited bandwidth is the only way to surf the internet.
- P2P and torrent availability – Some VPNs block these protocols, which can limit things like movie and TV show downloads and streams.
- Zero-logging policy – You can’t stay safe without a zero-logging policy in place.
Top 5 VPNs to Secure Your Wi-Fi Connection
A VPN won’t single handedly solve the KRACK vulnerability, but it can go a long way towards protecting your sensitive personal data against surveillance or theft. Using the aforementioned search criteria, we have found the best VPN providers to lock down your Wi-Fi network to be:
NordVPN delivers an excellent blend of safety and security, starting with a zero-logging policy on bandwidth, traffic, time stamps, and IP addresses. You also get an automatic kill switch, DNS leak protection, and 256-bit AES encryption on all data, not to mention a massive server network of more than 5,100 nodes in 59 different countries. Each plan is backed by NordVPN’s 30-day money back guarantee, so there’s no risk to try it out.
Read our full NordVPN review.
- Very affordable plans
- 5,400+ servers globally
- DNS leak protection, kill switch
- Based in Panama
- Money back guarantee policy (30-days).
- Some servers can be unreliable
- They can take 30 days to process refunds.
Surfshark is a unique VPN that’s only been around since 2019. But, they’ve already grown a network over 3200 servers in 65 countries strong, with connections encrypted by the unbreakable 256-AES-GCM cipher. On top of this, each server comes jam-packed with extra functionality for unblocking websites, including obfuscation, smart DNS, and the special NoBorders anti-censorship method. Surfshark installs easily onto your router, with a handy guide on their website and 24/7 live chat support to help you through if you need it. Moreover, you can get away with a per-device installation, as Surfshark never limits the number of simultaneous connections you can have. We particularly love the ability to configure different VPN settings for individual Wi-Fi networks, which is especially handy for routers you suspect may be vulnerable to KRACK attacks.
- Every server optimized for unblocking Netflix, BBC iPlayer, Hulu, and more
- Multi-hop connections readily available
- Unbreakable AES-256-GCM encryption on every connection
- Based in the British Virgin Islands, where there are no data retention laws
- Helpful 24/7 live chat with an actual human being.
- Connection speeds won't impress users of other high-end VPNs
- Apps don’t allow for much manual fiddling for power users.
Read our full Surfshark review.
Speed is important when you use a VPN, but only if it doesn’t come at the expense of security. ExpressVPN hits the mark with over 3,000 super-fast servers secured by 256-bit AES encryption, software-based identity protection, and a zero-logging policy on traffic, DNS requests, and IP addresses. Install ExpressVPN on your laptop, desktop, smartphone, and tablet, then surf the web in safety.
Read our full ExpressVPN review.
- Unblocking Netflix, iPlayer, Hulu, Amazon Prime
- Super fast servers (minimal speed loss)
- Torrenting allowed
- Strict no-logs policy
- 24/7 Customer Service.
- Slightly more expensive than some other options.
IPVanish delivers all the right features to keep you safe online, including 256-bit AES encryption, zero logging, DNS leak protection, and an automatic kill switch. Key points include a strong server network spanning 1,300+ nodes, fast connections, and excellent anonymity features. With an IPVanish VPN, you can surf and stream with complete anonymity on any device; and all plans are covered by a seven-day money back guarantee so you can try it out with no risks.
Read our full IPVanish review.
VyprVPN kicks privacy into high gear by providing tough protocols that defeat online censorship blocks and make it nearly impossible to discover your identity or location. All of this is bolstered by configurable 256-bit AES encryption on all devices, DNS leak protection, an automatic kill-switch, and a zero-logging policy that covers both traffic and DNS requests.
Read our full VyprVPN review.
Reader Encounters with KRACK
Have you encountered KRACK in the wild? What tricks did you use to secure your devices? Sound off in the comments below.
If you need a VPN for a short while when traveling for example, you can get our top ranked VPN free of charge. NordVPN includes a 30-day money-back guarantee. You will need to pay for the subscription, that’s a fact, but it allows full access for 30 days and then you cancel for a full refund. Their no-questions-asked cancellation policy lives up to its name.