The US Computer Emergency Readiness Team (US-CERT) released an advisory about a new-found, serious vulnerability in WPA2, the security standard that is thought to protect all modern Wi-Fi networks.
An acronym for Wi-Fi Protected Access II, WPA2, is the security protocol used by most wireless environments. Security researcher Mathy Vanhoef has discovered and published a critical flaw in this protocol that will allow anyone to manipulate this security process and steal data being transmitted between your wireless device, like your laptop/smartphone/IoT device, on your network. Data could be everything from passwords to chat messages and photos.
The attack, called KRACK, which is short for Key Reinstallation Attack, affects all modern Wi-Fi networks that are supposed to be protected. The researcher says that "Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites. The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected. To prevent the attack, users must update affected products as soon as security updates become available."
This means that this issue possibly impacts a wide range of devices running Android, Linux, iOS, MacOS and Windows. But the good thing about it is that there are some potentially positive news in this. First, an attacker would have to be within range of the wireless network to be between your device and your wireless access point. Secondly, most sensitive communications that could be susceptible to an attack like checking your email or logging into your bank should most like already be encrypted with end-to-end encryption, which is another layer of encryption over the WPA2 protocol.
According to reports, the researcher notified US-CERT and other authorities about this vulnerability and the information was kept secret for weeks, to allow vendors to start patching their systems. US-CERT has published a list of affected vendors and any mitigation strategy available from here. But as of this writing, many of the vendors are designated as "unknown" about their vulnerability status.
The biggest exposure I think are to those organizations that do not properly separate their wireless network from their protected wired networks. Until some easy to use tools are made readily available, most regular users might be protected from this.
A word of warning though: Just because the US-CERT site shows that there might be an update available for your wireless access point or other devices, please read through the documentation on how to update it properly, as a wrongly applied update could render your device unusable.