“We found a weakness in the design of this WPA2 protocol [in which] we
can force a victim into reusing a key,” Vanhoef, the researcher who
discovered the issue, says. “In turn we can use that to reveal sensitive
information that the victim is sending, such as passwords, or usernames,
and so on.”
Good news: For this exploit to actually happen, the hacker taking
advantage of it must be in range of the Wi-Fi network, so it’s not the kind
of attack that can be carried out from the other side of the world. Bad
news: if done successfully, the attacker could intercept and see the data
that flows from your device to the internet.
For those looking for a more thorough explanation of the problem, Leuven
has published a research paper on the topic and also lays it all out in
a website about it.
Who's affected?
The problem lies in the WPA2 wireless protocol—so it’s not something
that a specific device-maker created. According to Vanhoef, common
operating systems like iOS, Android, Linux, and Windows are all
susceptible, but to different degrees. The most vulnerable devices run the
Android and Linux operating systems, Leuven says.
Your home Wi-Fi network is less likely to be vulnerable than a big one,
like a public Wi-Fi system at an airport or an office.
Leuven says it is unclear if anyone has actually used the exploit yet.
“We’re not in a position to determine if people are abusing this or not,” he
says. But he remains most concerned about smartphones running Android.
And while home networks and routers are less vulnerable than others, it's
also a good idea to make sure your router's firmware is updated. For
example, Netgear published an article listing the routers, cameras, range
extenders, and other gizmos that are vulnerable to this exploit, and
explains how to get the newest firmware.
And Apple confirmed to Popular Science that fixes for the exploit are
coming to consumers via updates in the next few weeks for iOS, macOS,
watchOS, and tvOS; those same updates are already out in either public or
developer betas.
Like Leuven, Wueest stresses the importance of updating the software that
runs your devices. He also recommends that if you are sending sensitive
information, check your browser to make sure the connection is secured
with HTTPS/SSL. (Look for a lock symbol in the URL field.) When
configured correctly, that protocol protects your information with an
additional level of security. The last step to take, for the truly worried?
Consider using a virtual private network, or VPN.