Short for Wi-Fi Protected Access II, WPA2 is the security protocol used by most wireless networks today. This vulnerability is stated as a serious vulnerability, allowing attackers to monitor traffic between computer and wireless network points. According to a report by Ars Technica, the researchers have indexed the security flaws as, "CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088".
Vanhoef said his exploit targets primarily client devices rather than routers, and that it's most important to update these first. During their initial research, the researchers discovered that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others, are all affected by the KRACK attacks.
"Any device that uses WiFi is likely vulnerable", the security expert warned - a shocking assertion as so much of modern technology relies on the networks. They apply a layer of encryption to the data transmitted, protecting the information from being deciphered by other Wi-Fi-enabled devices in the immediate area.
"Here we are 16 years later and it appears the seemingly trusted protocol WPA2 is going the same way", commented Mark James, security specialist at ESET. Microsoft has announced that the Windows devices that have installed the latest October Windows security updates are already protected.
As plainly put, a bug affectionately called KRACK (Key Reinstallation Attack) has put nearly every modern Wi-Fi enabled device and content at risk of being decrypted by hackers.
KRACK works by affecting Wi-Fi Protected Access 2 (WPA2), which is used by people to keep their web use hidden from others. The Krack attack method can be abused to steal personal and sensitive information, such as credit card details, passwords, messages, emails and photos.
The United States Computer Emergency Readiness Team (CERT) issued a warning on Sunday, in response to the vulnerability. For a successful KRACK attack, an attacker needs to trick a victim into reinstalling an already-in-use key, which is achieved by manipulating and replaying cryptographic handshake messages or influencing him by providing wrong info messages. An attacker could now read all information passing over any wifi network secured by WPA2, which is most routers, both public and private.
On top of that there's now no known public attack code available to exploit the vulnerabilities, although that will no doubt change, and any hacker would need to be both very skilled and also situated in close proximity to your network kit in order to conduct the attack.
The fault lies in the setting of encryption key.
The good news is the security community and manufacturers are busy patching routers and devices, just like they did with Heartbleed.
"This certainly highlights the need for additional safety precautions; always where possible, password protect your network resource shares, even if you don't think anyone else would normally access it- after all it's not the ones you know about that are the problem".