Whether you realize it or not, you've likely been relying on the protections of WPA2 for more than a decade. But WiFi Protected Access II (WPA2), the internet's condom, apparently isn't as surefire as we've been led to believe.
Researcher Mathy Vanhoef, of KU Leuven in Belgium, has uncovered a flaw in WPA2 that could be "exploited to read and steal data that would otherwise be protected," Wired reported Monday. Vanhoef describes the flaw as a collection of "serious weaknesses" that, when a potential attacker is within range, could be used to procure sensitive info including credit card numbers and emails. "The attack works against all modern protected Wi-Fi networks," Vanhoef said. "Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites."
What Vanhoef refers to as a Key Reinstallation Attack (KRACK) is made possible due to an issue with WPA2's "four-way handshake" process of connecting a user to a network. Most up-to-date iOS and Windows users are (potentially, anyway) among the least vulnerable to KRACK attacks thanks to Apple and Microsoft's WPA2 setup and subsequent updates, but could still carry the risk under certain circumstances. "Any device that uses WiFi is likely vulnerable," Vanhoef advised. Android and Linux devices, meanwhile, are vulnerable to the worst aspects of the security flaw.
In a statement to reporters following Vanhoef's report, the WiFi Alliance—a non-profit organization focused on maintaining WiFi standards—confirmed that a new testing step for these specific vulnerabilities are now in place. For devices already on the market, however, customers should keep an eye out for user-friendly patches and router firmware dates while (of course) continuing to use WPA2 despite the risk.
In the meantime, avoid websites that aren't HTTPS-encrypted and think thrice about connecting to sketchy-as-fuck free/public WiFi networks. For more info on KRACK, check out Vanhoef's full breakdown here.