Serious security weaknesses have been discovered in WPA2
How does it KRACK your Wi-Fi?
There is a process by which every device is authenticated before it is allowed access to a Wi-Fi network. This process is invisible to the end-user so there would be no obvious way for you to know that a security break has occurred.
When your device uses a four-way authentication “handshake”, it actually targets the third step. This is the step where a Wi-Fi client attempts to connect to a protected Wi-Fi network. It may resend the encryption key multiple times during this step. If collected by the attackers and replayed in specific ways, 802.11 security encryption can be broken. For a more technically detailed explanation, check out Mathy Vanhoef’s KRACK attacks website.
What happens when KRACK breaks Wi-Fi security?
However, it’s not all bad news
In the meantime …
Stick to websites that use HTTPS encryption as data encrypted with a higher-level protocol like HTTPS and or TLS. Check for the lock in the address bar that ensures your web browser is safe to browse with HTTPs. Secure websites are still secure even with broken Wi-Fi security. The URLs of encrypted websites will start with “HTTPS,” while unsecured websites are prefaced by “HTTP.” The Electronic Frontier Foundation’s superb HTTPS Everywhere browser plug-in can force all sites that offer HTTPS encryption to use that protection.
If you’re using an encrypted virtual private network (VPN), then your traffic is secure. It will be secure even in case of a successful KRACK attack.
… and my Wi-Fi password?
Should I contact my network vendor regarding their products?
Your network vendor should be aware of KRACK and providing either patches or workarounds for their products.
If you are an ALE customer or partner, update your OmniAccess and OmniAccess Stellar WLAN products to the latest available software releases. These will include patches for the flaw.
We are investigating the potential impact on all of our products and will publish updates as soon as possible on our ALE public website for security advisories.