A major vulnerability has been discovered in the protocol governing basically all modern wi-fi routers. Here's what we know so far.
If you've set up a home wi-fi network, at some point you've encountered one or more screens concerning WEP and its successor WPA2. Both are security protocols created by the Wi-Fi Alliance that keep strangers from eavesdropping on what websites your computer is trying to access.
WEP was deemed insecure in 2003 and replaced, and it looks like WPA2 is also headed for the dustbin of history now that researcher Mathy Vanhoef has revealed a major flaw in the protocol, which he's calling KRACK — for Key Reinstallation Attacks. This weak link in WPA2 not only allows "man-in-the-middle" eavesdropping attacks, it also opens up wi-fi networks for ransomware and other malicious code injections. According to Vanhoef's findings, KRACK "can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on."
Essentially, WPA2 has devices go through a four-way handshake, and KRACK forces part three to be resent, over and over again, while your WiFi access point looks for a response from the device. Though an exceptionally clever attack on a protocol, KRACK appears to require attackers be close enough to a router's signal to connect to it, like any normal sign-in to a wi-fi network.
Android and Linux users are in an especially bad position, as KRACK is highly effective against devices running those operating systems according to Vanhoef, and some have suggested Android users turn wi-fi capabilities off until the issue is patched. Here's video of the exploit hitting an Android device.
So what's the good news, exactly? First, patches for this issue are already rolling out. Companies know how serious this protocol breach is and are doing what they can as fast as they can. According to a statement by the WiFi Alliance "This issue can be resolved through straightforward software updates, and the Wi-Fi industry, including major platform providers, has already started deploying patches to Wi-Fi users."
Second, the handshake your computer and a given website go through with WPA2 is just one countermeasure against ne'er-do-wells. So far it seems secure sites — distinguished by having HTTPS before the URL — are, well, still secure.
And, again, it appears that gaining access to a given wi-fi network still requires physical proximity to the router, so KRACK targets can't be hit from anywhere in the world, unlike hacks that have no proximity requirements.
For the next couple days, avoid public wi-fi, try to stick with HTTPS sites, and remember to install all patches on your devices as they're made available.
We've reached out to Vanhoef for additional comments and will update if we hear back. In the meantime, his full paper on KRACK is available to read online.