What follows is a short rundown on what exactly is at stake here, who's most at-risk from this vulnerability, and what organizations and individuals can do about it. "The attack works against all modern protected Wi-Fi networks". KRACK attacks make it possible "to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos" from any Wi-Fi device.
Hackers are able to search for a WiFi network and then clone it to trick users. The hackers can unencrypted (non-HTTPS) traffic or compromise your computer by slipping malware into legitimate websites. Note that as protocol-level issues, most or all correct implementations of the standard will be affected. "We agree that some of the attack scenarios in the paper are rather impractical, do not let this fool you into believing key reinstallation attacks can not be abused in practice", says Vanhoef, who has authored a 16-page academic paper on the vulnerability along with Piessens.
2. Avoid using public Wi-Fi networks..
Indeed, many companies are now developing security patches, which you should immediately download as soon as they're available.
Because of the wide use of WPA2 security on just about every home and business network device all over the world, this creates a real security headache for everyone.
The Wi-Fi Alliance, an industry group that represents hundreds of Wi-Fi technology companies, said the issue "could be resolved through a straightforward software update". The ideal solution right now would be to unhook these devices from the Wi-Fi network, and check with the manufacturer for KRACK patches. The October security update addresses the vulnerability by changing how Windows verifies wireless group key handshakes.
"Given the complexity of updating smart devices such as mobile phones, CERT NZ also strongly recommends disabling Wi-Fi when it isn't required", it said in its advisory. "Else, you could just use LAN for some time", he says, adding that HTTPS traffic will still be hard to intercept with this kind of an attack.
How can I prevent an attack?
All WiFi users are advised to update their devices to the latest security update as soon as it's available. Android devices, on the other hand, are likely going to need some patching, and soon.
Device and OS vendors are now working on security updates. Failing to do so with a wireless access point, for example can quickly leave you with an expensive, oversized paperweight.
This padlock will appear on all HTTPS sites.
For those interested in a deeper dive on the technical details of this attack, check out the paper (PDF) released by the researchers who discovered the bug.