This is HUGE news. The popular Wi-Fi protocol WPA2 has been broken.
The KRACK (key Reinstallation Attack) attack affects pretty much everyone using Wi-Fi. We won’t get into all the nitty gritty details (you can find those here), but we will give you a summary of what is going on:
This attack affects pretty much all devices that have Wi-Fi.
Changing your wireless password won’t fix this problem.
The KRACK attack allows attackers to decrypt your internet traffic to see what you’re doing online.
What Can I Do?
Don’t switch to WEP (another wireless security protocol–it’s REALLY insecure)
Install all security updates for your devices (phones, computers, routers)
Use HTTPS wherever possible
Consider using your data plan instead of wireless
Consider using a reputable VPN service. This adds an additional layer of encryption and privacy
Can I see this attack in action?
Yes, see the video below:
Is this issue being tracked?
Yes – here are the CVEs:
CVE-2017-13077: Reinstallation of the pairwise encryption key (PTK-TK) in the 4-way handshake.
CVE-2017-13078: Reinstallation of the group key (GTK) in the 4-way handshake.
CVE-2017-13079: Reinstallation of the integrity group key (IGTK) in the 4-way handshake.
CVE-2017-13080: Reinstallation of the group key (GTK) in the group key handshake.
CVE-2017-13081: Reinstallation of the integrity group key (IGTK) in the group key handshake.
CVE-2017-13082: Accepting a retransmitted Fast BSS Transition (FT) Reassociation Request and reinstalling the pairwise encryption key (PTK-TK) while processing it.
CVE-2017-13084: Reinstallation of the STK key in the PeerKey handshake.
CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake.
CVE-2017-13087: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.