The security researcher Mathy Vanhoef has discovered critical flaws in the WPA2 security standard which is used virtually everywhere to encrypt WLAN connections. A method of attack known as KRACK (Key Reinstallation Attack) works on virtually all Wi-Fi-enabled client devices. It allows attackers to intercept and manipulate data packets sent or received via a Wi-Fi network secured through WPA2, allowing hackers to access data such as your passwords, account details, messages or emails.
Devices with Android or Linux operating systems are particularly susceptible, according to Vanhoef. Windows and Apple devices are only partially affected because they do not allow flaws to be fully exploited. In order to carry out an attack, hackers must be in the same Wi-Fi network as the user. You should therefore be sure to avoid public Wi-Fi hotspots, such as those at airports as well as in public areas, cafés or hotels. Wired or mobile Internet connections are not affected by KRACK and are still considered secure.
Wi-Fi Protected Access 2 (or WPA2) is used by virtually every Wi-Fi-enabled device to encrypt the Wi-Fi connection, making KRACK particularly significant. However, client devices connected to the Wi-Fi are more vulnerable to the attack than access points or routers.
The WPA2 security flaw is the result of design errors in the IEEE standard 802.11 on which it is based. The problem lies in the way a client device authenticates itself at a Wi-Fi access point. The four-stage process is known as the four-way handshake , which generates and compares a number of security keys. Details of this are available on krackattacks.com on which Vanhoef has also published a proof of concept video for KRACK.
Luckily, the security flaw can be patched through a software update with reverse compatibility. Until a patch becomes available for your device, you should, as a precaution, refrain from carrying out online banking, online shopping or transferring other confidential data via Wi-Fi.
The US-CERT (United States Computer Emergency Readiness Team) maintains a list of all affected providers and the current patch status. A slightly clearer list can be found at Charged.