There’s been a lot of social media activity around this issue since Mathy Vanhoef published on krackattacks.com here.
We discovered serious weaknesses in WPA2, a protocol that secures all modern protected Wi-Fi networks. An attacker within range of a victim can exploit these weaknesses using key reinstallation attacks (KRACKs). Concretely, attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted. This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. The attack works against all modern protected Wi-Fi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites.
This iMore article provides a good overview,
Exploit in WPA2 means it’s open season on your Wi-Fi network, no matter what router you use.
Security researcher Mathy Vanhoef has revealed what he has labeled KRACK; an exploit that attacks a vulnerability in the handshake of the WPA2 protocol that you most likely use to protect your Wi-Fi at home and millions of small businesses around the world use, too.
Jerry Hildenbrand, iMore
Read the full article here
The Verge provides some reassurance,
The good news is Krack is a wide but shallow bug: nearly every device that uses Wi-Fi is vulnerable, but the attack itself is difficult to execute and not as damaging as you might expect. Taking advantage of this bug would take a lot of preparation and a very specific target, which is very good news in the short term.
And the good news is that Apple are on the case…
Zdnet.com confirm that,
The iPhone and iPad maker confirmed to sister-site CNET that fixes for iOS, macOS, watchOS and tvOS are in beta, and will be rolling it out in a software update in a few weeks.
- Use an Ethernet direct connection if available
- Use Cellular rather than Wifi on mobile devices
- Only use HTTPS websites – this shows that your information inputs are encrypted