A severe flaw in the encryption protocols used by nearly all modern Wi-Fi networks could let attackers hijack encrypted traffic, steal passwords and even inject malware into smartphones and laptops. Dubbed KRACK, or Key Reinstallation Attack, by its discoverer, the flaw affects all widely used platforms: Windows, Mac, iOS, Linux and Android. Android 6.0 Marshmallow and later, and Linux kernel 2.4 and later, are especially hard-hit. Despite the severity of the flaw, it is rather difficult to implement. The user needs to be within Wi-Fi range of a smartphone or laptop to attack it. The attack does not work over the internet. What to Do Users should keep using encrypted Wi-Fi wherever necessary, such as at home and at work. However, you might want to avoid using the Wi-Fi networks, even password-protected ones, in coffeeshops, hotels, airports and other public places for the time being. Use cellular data or a VPN service instead. The attack is mostly against client devices, including laptops, Wi-Fi enabled desktops, smartphones, tablets and smart-home devices. It’s more important that client devices get patched than routers get patched, although patching the routers wouldn’t hurt. There’s no need to change your Wi-Fi password: The KRACK attack doesn’t require knowing your Wi-Fi password, and doesn’t even access it. Rather, the main line of attack involves setting up a rogue network in range of the real one, using the same network name so that some devices connect to the rogue network instead.
The public announcement about this security weakness was held for weeks in order to give Wi-Fi hardware vendors a chance to produce security updates. The Computer Emergency Readiness Team managed by Homeland Security has a running list of hardware vendors that are known to be affected by this, as well as links to their available advisories and patches. Fortunately, many Wi-Fi router and client-device makers have already or are about to issue patches — a list of vendors that have already issued patches is at https://www.kb.cert.org/vuls/id/228519 (you may need to copy and paste this URL) — so users should update their routers, smartphones and laptops as soon as possible.
In reviewing the advisory, it appears that the most recent versions of Windows and Apple’s iOS are either not vulnerable to this flaw or are only exposed in very specific circumstances. Android devices, on the other hand, are likely going to need some patching, and quickly.
If you discover when browsing the CERT advisory that there is an update available for your computer, wireless device or access point, take care to read, understand and follow the instructions for updating those devices before you update. Failing to follow explicit directions when updating a wireless access point can quickly leave you with an expensive, oversized paperweight.