Multiple vulnerabilities in the WPA2 security protocol ensure that data transmissions once believed to be secure can actually be decrypted, intercepted and modified. The problem affecting all current WiFi connections is unlikely to be easily resolved because of the variety of different devices involved. Right now only a few specialists are able to exploit this vulnerability, and only at short range.
The WiFi we currently use everyday in commercial routers is not as secure as we once assumed. But this isn't the fault of the router manufacturers themselves. It's actually due to flaws in the WPA2 security protocol used for encryption.
When a device is connected to the WiFi access point, a secret key is negotiated between the two devices via a four-way "handshake" in accordance with WPA2. This ensures that devices in the vicinity can listen to the following data connection, but cannot decrypt it (not without taking a really long time, anyway). But this handshake, as several experts have now found out, is flawed. One of the steps can be repeated as often as desired; attackers can intervene, intercept the key and intercept or even manipulate the connection.
This new kind of hacking attack was called Key Reinstallation Attacks or KRACK. The research behind it has been kept secret for weeks, but has now been published for public viewing at krackattacks.com. It is still unclear how a real-world attack on WPA2 encryption will actually work. If an exploit should be comparatively easy to implement, WiFi networks in general are no longer trustworthy. At various security conferences, some of the researchers will describe the newly discovered attack method in more detail.
We can at least expect router manufacturers to release a patch to mitigate this. Until then, security-minded readers should avoid WLANs, use them only over trusted VPN connections or to limit them to HTTPS (watch for that green lock in the URL to confirm it's secure) or Secure Shell connections. You can also use a wired (Ethernet) internet connection for your home PC.
Although computers have multiple ways for the user to make the connection more secure, and most routers should have this vulnerability patched, the majority of smart devices out there using WiFi, such as TVs, might remain unpatched and leave a hole in your security.
Before panicking, it's important to be aware that potential hackers still need physical access (to the actual radio signals), so you aren't vulnerable to everyone in the world, just potential threats in your neighborhood.
We have sent inquiries regarding KRACK to various router manufacturers and will update the article with corresponding statements.
Source: Ars Technica