Wi-Fi has a serious vulnerability.

Here's how to stay safe.

Wi-Fi is the invisible connective tissue of the internet. Mathy Vanhoef, a
28-year-old postdoctoral researcher at KU Leuven, a university in
Belgium, discovered the issue, called KRACKs, months ago.
Here’s what you need to know about the problem, and what to do about it.

It starts with a handshake

When a machine like a laptop or smartphone connects to a Wi-Fi network,
the two gadgets carry out a multi-step handshake. That process involves
confirming that your phone, for example, has the right password to
connect to the network. The handshake system also produces encryption
keys that keep the data secure, so no one can snoop on you. It’s here where
the vulnerability lies—the exploit causes one of those keys to be reused,
which is a security no-no.

“We found a weakness in the design of this WPA2 protocol [in which] we
can force a victim into reusing a key,” Vanhoef, the researcher who
discovered the issue, says. “In turn we can use that to reveal sensitive
information that the victim is sending, such as passwords, or usernames,
and so on.”

Good news: For this exploit to actually happen, the hacker taking
advantage of it must be in range of the Wi-Fi network, so it’s not the kind
of attack that can be carried out from the other side of the world. Bad
news: if done successfully, the attacker could intercept and see the data
that flows from your device to the internet.

“When I initially discovered it, it was really surprising to find this,”

Vanhoef says. “Because this WPA2 protocol has been around for 14
years.”

For those looking for a more thorough explanation of the problem, Leuven
has published a research paper on the topic and also lays it all out in
a website about it.
Who's affected?
The problem lies in the WPA2 wireless protocol—so it’s not something
that a specific device-maker created. According to Vanhoef, common
operating systems like iOS, Android, Linux, and Windows are all
susceptible, but to different degrees. The most vulnerable devices run the
Android and Linux operating systems, Leuven says.

Your home Wi-Fi network is less likely to be vulnerable than a big one,
like a public Wi-Fi system at an airport or an office.

Leuven says it is unclear if anyone has actually used the exploit yet.
“We’re not in a position to determine if people are abusing this or not,” he
says. But he remains most concerned about smartphones running Android.

So what should you do?

The most important thing you can do—today and always—is install the
automatic updates that companies push out. Whether your smartphone or
laptop is running iOS or Android, Windows or macOS, the key is to
"always install updates," Leuven advises. No need to change the password
on your home Wi-Fi network, he says. (Microsoft is on the ball with this
one and patched the issue on October 10.)

And while home networks and routers are less vulnerable than others, it's
also a good idea to make sure your router's firmware is updated. For
example, Netgear published an article listing the routers, cameras, range
extenders, and other gizmos that are vulnerable to this exploit, and
explains how to get the newest firmware.

Karen Sohl, a communications director for Belkin, Linksys, Wemo, says

that they are “aware” of the vulnerability. “Our security teams are
verifying details and we will advise accordingly,” she says, via email,
adding that they “are planning to post instructions on our security advisory
page on what customers can do to update their products, if and when
required.”

And Apple confirmed to Popular Science that fixes for the exploit are
coming to consumers via updates in the next few weeks for iOS, macOS,
watchOS, and tvOS; those same updates are already out in either public or
developer betas.

“Don’t panic,” Candid Wueest, a threat researcher with Symantec, says.

However, he adds, “It is definitely a serious vulnerability which is present
in the design of Wi-Fi as we use it, with the WPA-2 encryption.”

Like Leuven, Wueest stresses the importance of updating the software that
runs your devices. He also recommends that if you are sending sensitive
information, check your browser to make sure the connection is secured
with HTTPS/SSL. (Look for a lock symbol in the URL field.) When
configured correctly, that protocol protects your information with an
additional level of security. The last step to take, for the truly worried?
Consider using a virtual private network, or VPN.

Ultimately, a vulnerability like this is “rare,” but compared to malicious

code like WannaCry, Wueest says, “it’s not as bad for the internet.”