The vulnerability was found in the WPA2 protocol used to secure protected networks in all current Wi-Fi hardware, including routers and client devices such as PCs, laptops and mobile phones.
Practically any device capable of sending or receiving a Wi-Fi signal is affected.
Researchers this week published information about a newfound, serious weakness in WPA2 - the security standard that protects all modern Wi-Fi networks. The flaw, if successfully exploited, could enable a hacker to spy on your data and gain access to other unsecured devices sharing the same WiFi network. "This issue can be resolved through straightforward software updates, and the Wi-Fi industry, including major platform providers, has already started deploying patches to Wi-Fi users", says a Wi-Fi Alliance spokesperson. Due to a flaw in the design of the protocol itself-not a specific vendor implementation-attackers can capture part of the handshake message, and use modified versions of that to trick devices into installing a blank encryption key, a process called "key reinstallation attacks", or KRACKs by Vanhoef. However, Vanhoef said HTTPS alone might not be enough to protect your data if a hacker uses KRACK to read your internet traffic, considering the number of times hackers have found ways to break the encryption. Vanhoef dubbed the flaw KRACK, which stands for "key reinstallation attack" and is fundamental to the WPA2 protocol.
However, US-CERT, the United States Computer Emergency Readiness Team, released an advisory during the weekend in which it summarised what the research team will reveal in detail this evening. This could involve passwords, credit card numbers, photos and messages sent over a network to be stolen, or cyber attacks to be inserted into the traffic.
An attacker in your midst (at least, within Wi-Fi range) could, in theory, sniff out at least some of the encrypted traffic sent to some of the computers in your organisation.
In short, nearly all Wi-Fi devices featuring the WPA2 security protocol are vulnerable to key flaws in its 4-way handshake process. Second, you'll want to consider patching your router firmware if the manufacturer doesn't update it for you automatically.
Fortunately, the attacker would need to be in close proximity to you in order to pull off an attack.
This is probably overkill, especially if you follow the other three steps listed above.
With Android and Linux, an attacker doesn't even have to do that much work: the attacker can simply reset the encryption key.
If you're anxious about your security, various solutions can help you mitigate the problem while you wait for hardware companies to update router firmware.