A researcher from a university in Belgium has discovered a weakness that can be exploited in nearly all Wi-Fi routers. It is cleverly being referred to as KRACK, which is an acronym for “key reinstallation attacks.” Suffice it to say, that anyone using a Wi-Fi connection is vulnerable to possible attack until the patches are released from the vendors.
All operating systems have this flaw, but the most at risk is Android 6.0 (Marshmallow) and higher. Linux is the next highest on the list, but MacOS and Windows also possess this vulnerability. Microsoft claimed it has a patch available and Google is still working on one.
In the meantime, if you need to do any tasks that involve entering confidential or sensitive information into a browser, do these tasks on a Wi-Fi connection that is more secure than a public place. While it still is not guaranteed safe in this case, it is much less risky to you. Cellular connections are always the safest way to connect and should be used over free Wi-Fi whenever possible.
When you see the indicator or dialogue that a patch or update is available for your device, take the time to apply it immediately. This goes for hardware too, as it is possible for the firmware of those devices to be affected.
The flaw is in the way the security protocol WPA2 functions. At a basic level, each time you connect to a network, a four-step dialogue process occurs between your device and wherever it is connecting (a process called a handshake). The devices at either end “agree” to use a particular key to create a secure connection. Typically, the key can only be used one time. In this case, the devices are tricked into using essentially a recorded replay of the handshake process. If it is successful, an attacker can hijack the connection and record data passing between the two points.
On the upside, the attacker must be physically close by to make this work. That is why avoiding using public Wi-Fi to perform sensitive transactions should be avoided for the time being. However, since it is possible for malware to also be injected into the connection, using public or unsecured wireless is also discouraged.