KRACK Attack Explained

Run a Speed Test

KRACK was the Wi-Fi security flaw that made people realize WPA2 was not magically untouchable. The good news: it did not reveal Wi-Fi passwords, and patched devices are protected. The bad news: old unpatched devices can still be a soft spot on home networks.

The Short Version

KRACK stands for Key Reinstallation Attack. It targeted the WPA2 four-way handshake, the process your device and router use to agree on encryption keys after you enter the Wi-Fi password. The attack could trick a device into reinstalling an already-used key, weakening the encryption for that connection.

KRACK was serious because it affected the WPA2 protocol design, not just one router brand. But it also had important limits: the attacker needed to be within Wi-Fi range, needed to target active connections, and did not automatically learn your Wi-Fi password.

What KRACK Actually Attacked

When your laptop joins Wi-Fi, it does not simply send traffic encrypted with your password. WPA2 uses the password to help create session keys. Those session keys are negotiated during the four-way handshake.

KRACK abused the part of the handshake where a client installs a key and starts using it. By replaying a handshake message, an attacker could make some clients reinstall the same key and reset related counters. That opened the door to decrypting or manipulating certain packets, depending on the device, cipher, and traffic.

What KRACK Did Not Do

  • It did not crack the Wi-Fi password.
  • It did not let attackers join your network from across the internet.
  • It did not bypass HTTPS protection on properly secured websites.
  • It did not mean every WPA2 network was instantly readable by anyone nearby.

That distinction matters. KRACK was a real vulnerability, but the practical risk depended heavily on device patch level and what traffic the victim was sending.

Who Was Most Affected?

Client devices were the main concern: phones, laptops, tablets, smart TVs, cameras, and IoT devices. Routers and access points also needed updates, especially for mesh, repeater, and client modes, but patching client devices was critical.

Linux and Android devices were particularly notable at the time because one implementation bug could cause an all-zero encryption key in some cases. Modern Android, iOS, Windows, macOS, and Linux builds have long since shipped patches, but forgotten IoT devices are a different story.

How to Check Your Home Risk Today

  1. Update the router firmware. Log into the router admin panel or app and check for firmware updates.
  2. Update client devices. Phones, laptops, tablets, streaming boxes, and TVs need OS or firmware updates too.
  3. Replace abandoned devices. If an IoT device has not received updates in years, isolate it on a guest or IoT network.
  4. Use HTTPS everywhere. HTTPS limits what Wi-Fi-layer attacks can reveal about web traffic.
  5. Move to WPA3 when practical. WPA3 is not required to be safe from KRACK, but it is a good broader upgrade.

KRACK vs a Weak Wi-Fi Password

These are different risks. A weak Wi-Fi password can be guessed offline if an attacker captures the WPA handshake. KRACK did not need to guess the password; it attacked key handling after the device was already joining the network. That means changing your Wi-Fi password alone was not the KRACK fix. Patching devices was.

What Home Users Should Do Now

If your primary devices are updated, do not panic. The realistic work is hygiene: keep router firmware current, avoid unsupported hardware, and do not let old smart devices sit on the same network as laptops, phones, and NAS devices.

For a modern home network, a strong setup looks like this: WPA2-AES or WPA3, WPS disabled, router firmware updated, guest network for IoT, and no ancient unpatched phones or cameras still connected because "they technically work."

Frequently Asked Questions

Is KRACK still a threat today?

For fully updated phones, laptops, routers, and access points, KRACK is mostly a historical vulnerability. It still matters for old devices that no longer receive Wi-Fi driver or firmware updates, especially IoT devices and abandoned Android hardware.

Did KRACK reveal my Wi-Fi password?

No. KRACK did not crack the Wi-Fi password. It attacked the WPA2 handshake after authentication and could allow traffic decryption or manipulation in some conditions.

Does WPA3 fix KRACK?

WPA3 changes the authentication design and adds stronger protections, but updated WPA2 devices can also be safe from KRACK. The practical fix is keeping client devices and router firmware patched.

Related Guides

WPA3 vs WPA2

What WPA3 improves and when transition mode makes sense.

Secure Your Home Network

Router settings, firmware, DNS, guest networks, and IoT isolation.

WPS PIN Attack

Why the router WPS PIN feature can weaken Wi-Fi security.

Set Up WPA3

Enable modern Wi-Fi encryption without locking out older devices.

More From This Section

All Security Guides

Router hardening, VPN vs DoH, WiFi security, and WPA3 encryption.

AdGuard Home Explained: Self-Hosted DNS Blocker

AdGuard Home is a self-hosted DNS blocker like Pi-hole — but with built-in DoH, DoT, and parental controls.

ARP Poisoning Explained

ARP poisoning corrupts the ARP cache to redirect traffic through the attacker.

Run a Speed Test

Measure download, upload, ping, and jitter in your browser.