Sebastien Jeanquier, Principal Consultant at Context Information Security provides some background and advice on KRACK Attack.
The recently-disclosed Key Reinstallation Attacks are a series of serious weaknesses in the WPA2 protocol that is used to secure the vast majority of modern Wi-Fi networks. The vulnerabilities are within the Wi-Fi standard itself and not individual products or implementations. As such, all Wi-Fi enabled devices should be considered affected and vulnerable, until a patch is made available by their respective vendors.
An attacker within range of a Wi-Fi client can trick that client into using a cryptographic key that the attacker is able to calculate, thus allowing the attacker to decrypt and eavesdrop on all of the network traffic between the Wi-Fi client and the Access Point. This could allow the attacker to steal usernames and passwords, as well as personal or financial information.
How worried should you be?
Although this is a significant attack against the WPA2 protocol and the details of these vulnerabilities have been disclosed, no tooling has been made available thus far, although it is not inconceivable that attackers could create their own tools to perform such an attack. Furthermore, an attacker wishing to target you would need to be within Wi-Fi range of your devices, making this very much a local attack.
How do you protect yourself?
Any Wi-Fi enabled device (computer, phone, tablet, e-reader, watch, etc) is likely to be affected. The only way to fully mitigate these vulnerabilities is to wait for device manufacturers to release software patches and then install those as soon as possible.
In the interim, the only way to mitigate an attack using KRACK is to avoid using Wi-Fi (in favour of Ethernet or 4G). Users for whom this is not an option, additional effort and awareness should be put into ensuring connections are made using encryption. Two ways to do this are to use a Virtual Private Network (VPN), either one provided by your company for corporate use, or a reputable VPN service for private use. Alternatively, ensuring all websites are visited using SSL/TLS (i.e. URLs start with https://), and being vigilant for 'insecure website' browser warning, which could indicate the connection is being tampered with.
Two tools that can help in this regard are HTTPS Everywhere from the Electronic Frontier Foundation, or the Brave browser for iOS devices.