Early this morning, researchers revealed the details of a serious vulnerability that they discovered in WiFi's security - a weakness that may let unauthorized parties eavesdrop on communications to and from computers, phones, and tablets using WiFi. In some cases, criminals could even insert malicious code such as ransomware into communications. Nicknamed KRACK, the vulnerability exploits several errors within the WPA2 security protocol used throughout the world as a standard for encrypting WiFi communications.
Your WiFi-connectable device "is most likely affected," say the researchers, who will present their findings in a presentation entitled Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 on November 1st at the ACM Conference on Computer and Communications Security in Dallas.
Additionally, 41 percent of all Android devices (smartphones, tablets, embedded systems, etc.) are vulnerable to a potentially "exceptionally devastating" exploit.
The good news is that in many cases the problem impacts clients (computers connecting to WiFi, phones, etc.) and not routers, so your router may not need upgraded (or thrown out if it cannot be).
What should you do?
Make sure to install all relevant recommended updates for all machines using WiFi as patches become available. For extremely sensitive tasks, consider using cellular connections. And, despite the vulnerability, continue to use WPA2 - using WiFi with no encryption, or with original WPA or WEP, is far worse; no criminals are known to have exploited the WPA2 weakness yet, but they certainly know how to do so if you use older security protocols or none to begin with. Of course, also update any routers or access points whose vendors issue patches to fix the present vulnerability or any others.
As far as official statements indicating the severity of the impact of the vulnerability, the United States Computer Emergency Readiness Team stated today:
US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol. The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others. Note that as protocol-level issues, most or all correct implementations of the standard will be affected. The CERT/CC and the reporting researcher KU Leuven, will be publicly disclosing these vulnerabilities on 16 October 2017.
More details about the vulnerability can be read on a website set up by the researchers at krackattacks.com.