KRACK: The Implications For Hotel Industry

By Pavel Pohl, Founder & CEO at
November 2017

First of all, what is KRACK?

KRACK (Key Reinstallation Attack) is a security flaw in the WPA2 protocol, which could allow hackers to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, etc.

How dangerous is it?

There is no need to panic. This is not an easy-to-exploit flaw, but make sure it gets fixed. Be aware of it, roll out a remedy plan and execute.

How can it be exploited?

Hackers can break the encryption between your router and a device, allowing them to intercept and interfere with network traffic. They can not only intercept traffic and steal data but (except for WPA2-AES) even modify and forge fake data e.g. ransomware, interfering with the content of non-secure websites. To do so, attackers need to get close to the communication between the device and an access point or router. However, watch out. Hackers don’t need to be physically in range of your WiFi network. They may attack by controlling any device that is within the reach of your Wi-Fi.

What devices are at risk?

All hotel areas:

  • Android smartphones (patches yet to be released, availability depends on each gadget vendor)
  • Windows devices (patches already available for Windows 7, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2012 and Windows Server 2016. Older versions will never be patched)
  • Apple devices (patches for iOS, macOS, watchOS, and tvOS available "in a few weeks.")
  • Linux devices (some patches several patches for already available Ubuntu 14.04+, Arch, OpenBSD, Debian, Gentoo and Linux upstream)
  • eBook readers
  • Access Points with enabled WPA2, Mesh or Point-to-Point topologies.
Back of house:

  • Wi-Fi controllers
  • Wi-Fi enabled POS systems
  • Wi-Fi enabled printers and copiers
  • Wi-Fi CCTV cameras
  • VoIP phones
  • Wi-Fi enabled industrial controllers.
Guests rooms:

  • Smart TVs
  • Wi-Fi enabled minibars
  • Room service tablets
  • Gaming consoles
  • Smart in-room thermostats, A/C, lighting controls, etc.
What to do

  • Keep all devices updated with the latest patches.
  • Make sure 802.11r is disabled on your access points (turn back on after it’s patched).
  • Change WPA2-TKIP to more secure WPA2-AES (it still needs to be patched though)
  • Make sure wireless intrusion detection system (WIDS) is enabled on your Wi-Fi network (provided it supports this feature).
  • Check for further actions with your Wi-Fi devices vendors.
  • If, in the meanwhile, you can connect a device via LAN cable, instead of Wi-Fi, do it.
  • Make sure your network is physically separated from guest network.
  • Make sure your back-office wired network is securely separated from back office’s wireless network.
  • Changing your Wi-Fi password is not necessary, as KRACK doesn’t need it to access your network and it also cannot reveal it. Hiding our SSID will not protect you either.

A Wi-Fi network protected by WPA2 will still be more secure than a Wi-Fi network protected by WEP or WPA, even if the WPA2 Wi-Fi network is still vulnerable to KRACK.

In the meanwhile, use VPN to encrypt your communication and prefer HTTPS secured websites.