What should you do?
It seems that public Wi-Fi is avoided for a while, or self - defense can be done to some extent.
A serious vulnerability was discovered in the Wi-Fi security protocol WPA 2 which is now mainstream. Well, are we WPA 2? Is not it related?
According to the site wiggle which summarizes the statistical information on the usage situation of Wi-Fi, as of October 2017, 90 of the encrypted Wi-Fi networks is using WPA 2, so basically it is better to think that people using Wi-Fi are related to this stories.
There used to be a protocol called WEP, but vulnerabilities were discovered in 2003, and WPA 2 was the follower. It has been used for more than 10 years, but security researcher Mathy Vanhoef noticed the big flaw. He calls this flaw as KRACK (Key Reinstallation Attacks).
In addition to allowing man-in-the-middle attacks to intercept communications, KRACK allows injection of malicious code such as Ransomware to Wi-Fi networks. According to Vanhoef, KRACK says " It could be exploited to steal sensitive information such as credit card numbers, passwords, chat messages, e-mails, and photos."
The mechanism of KRACK is something like this when roughly speaking. WPA 2 will do "4-way handshake" (data exchange 4 times) to encrypt the user's terminal (eg smartphone) and Wi-Fi access point. An attacker seems to be able to retransmit, decrypt and rewrite packets flowing between the access point and the terminal freely. However, the remote attack cannot be done because the attacker needs to be near the Wi-Fi network to use KRACK.
According to Vanhoef, KRACK is particularly effective for Android and Linux so people who use it are cautioned. Android users say that it is better to turn off Wi-Fi until the problem is resolved. Here is a video showing how the Android device actually hacks.
But there is good news. First of all, a patch for this problem is already being released. According to the Q&A of Vanhoef's site, general users are better to give priority to terminal side updates such as laptops and smartphones over Wi-Fi routers, although patches can be applied to both Wi-Fi routers and terminals.
Therefore, it is the companies of the corresponding anxious, according to the Microsoft is already been addressed in the Windows, Apple has supported in the beta version of iOS and macOS. However, it seems that Google developing Android, which is regarded as a problem, in particular, is somewhat relaxed as "responding with a patch on November 6". And, as TechCrunch points out, Android worried about whether or not everyone can keep it safe, as all the versions will take time to respond to it even if Google issues an update....
As just another self-defense measure, there seems to be a hole in this place, but there is a hand that only the site using HTTPS which is another encryption means different from WPA 2 is opened. However, Mr. Vanhoef points out that there are various cases where HTTPS was bypassed, so he thinks that it is better not to attend too much.
As you can also see above, you need to physically be near the Wi-Fi router in order to peer through the Wi-Fi network using KRACK. So the chances of being attacked are much lower than the other hacks like "Can attack from anywhere on the net anywhere". Although saying that, the radio wave of Wi-Fi can fly far under the apartment or far enough, not all of the communication range can be overlooked....
So it's better to remember to avoid using public Wi-Fi for a while, and install it as soon as the patch is distributed.
