Researchers have discovered a massive vulnerability in WPA2, an encryption scheme that is commonly used to protect wireless networks. Dubbed KRACK - short for Key Reinstallation Attacks -, the exploit allows attackers to bypass WPA2's security measures and intercept internet traffic, which could in turn expose data such as passwords, emails, and more.
Given that almost every single device relies on the WPA2 protocol for wireless connectivity - from your smartphone, to your laptop, to your TV - the consequences of KRACK have the potential to be far reaching.
There is good news though: device manufacturers were made aware of the vulnerability months ago and are already working on updates. HTTPS encryption isn't affected, so your internet traffic to secure sites is still encrypted. And since KRACK is a vulnerability in Wi-Fi, a malicious actor has to be in physical proximity to your network to actually target you.
What's the risk?
For the average person, KRACK is only a mild threat. While it affects nearly every Wi-Fi device, it's hard to take advantage of. A hacker would have to specifically target you, and would need to be physically present within the range of your wireless network. There is no way to carry out a KRACK attack remotely over the internet.
If a hacker gets access to your network, they could intercept non-encrypted traffic or use a man in the middle attack to compromise your device with malware, but HTTPS traffic is still thought to be safe for the most part.
What devices are affected?
Any device that connects to Wi-Fi is affected by KRACK, whether it's a Mac, PC, smart TV, smart fridge, iPhone, Android, router, modem, or gaming console.
What should I do?
The most important thing to do when protecting yourself against KRACK is installing software updates for your Wi-Fi connected devices as they become available.
When will updates be available?
Microsoft was the first out of the gate, and addressed the vulnerability in the October 10 Windows security update. Apple will be following out a fix for iPhone, iPad, Mac, Apple Watch, and Apple TV in the coming weeks. Google has also used the "coming weeks" time frame for patching affected products - such as Android, Chromecast, Home, and Google Wifi. Android devices will then also require the manufacturer to push out a security update after they've received it from Google.
Router and modem manufacturers will also need to put out new firmware for their products, but there's little timeframe information so far.
All other Wi-Fi devices should also be updated as their manufactures role out fixes.
What does this mean for public Wi-Fi?
Public Wi-Fi isn't regarded as safe in general, due to the lack of encryption. Nothing's really changed here.
Can I just turn off my Wi-Fi?
Yes, if you turn off Wi-Fi on your phone or can connect your computer to your modem via an Ethernet cable, you won't be exposed to KRACK.