A bombshell new report says it doesn't matter how good your password is, or what other security settings you have – if you're using WiFi, it's possible for someone to spy on every single thing you do.
And it affects essentially every WiFi network being used, from your private home set-up to the one at your local coffee shop.
The discovery of this serious new issue comes from Mathy Vanhoef, a Belgian computer security researcher. Vanhoef published the findings Monday on a dedicated website, KRACKattacks.com.
The flaw lets people "read information that was previously assumed to be safely encrypted," Vanhoef wrote. "This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on."
And the scope is potentially huge: "The attack works against all modern protected Wi-Fi networks," he said.
How it works
We're going to keep this part brief, because it gets very technical very quick.
It concerns the use of "WPA2," a proven method of protecting data on a network. (You've probably seen it when setting up WiFi at a new house or apartment.) WPA2 has been used to make WiFi connections secure for a decade now – it's the "modern standard," Consumerist explains, because it was thought to be well-protected.
The flaw Vanhoef discovered is in the core function of WPA2, during what's referred to as a "4-way handshake." The WiFi access point and the device that's connecting to it talk to each other to make sure credentials match. The device gets issued a new, fresh encryption key, which secures any data that gets sent over that connection (so web browsing, streaming, etc.).
But there's a way for an attacker to have the WiFi access point and your device redo part of that "handshake" process. It forces the device to take an already-used encryption key – not a fresh new one. That gives the attacker an opening to spy on any data that goes over the connection.
Here's a short demo video from Vanhoef (but heads-up, it's pretty technical):
Vanhoef refers to this as a KRACK attack, shorthand for "key reinstallation attacks."
Who does it affect?
Pretty much everyone.
Android, Apple, Windows and Linux are all vulnerable. And as mentioned above, it's not tied to any specific device or software – it's a problem within the way the WPA2 operates.
"If your device supports Wi-Fi, it is most likely affected," wrote Vanhoef.
Just to be clear, you could have the greatest WiFi password ever known to humankind and it would make no difference.
This vulnerability doesn't use a password to access anything, and it doesn't seek out the password. In fact, it's the first attack on WPA2 that "doesn't rely on password guessing," according to Vanhoef.
"Changing the password of your Wi-Fi network does not prevent (or mitigate) the attack" he wrote. "So you do not have to update the password of your Wi-Fi network."
A little bit of good news ... kind of
For an attacker to do this, they have to be within range of a WiFi network. So someone halfway across the world isn't going to be snooping around in your WiFi, monitoring you as you watch Stranger Things with your Stranger Things mug and toys before season 2 premieres.
Also, it's not easy. A computer novice won't be able to pull this off, with Vanhoef acknowledging some of the scenarios are "rather impractical" – but still warning the general strategy could certainly be abused.
Vanhoef said it's not known right now if this attack is being used out in the wild – which you can take as glass-half-full or glass-half-empty, depending on your world view.
So what should I do?
There's nothing immediately you can do to prevent this, outside of not using WiFi (but let's be honest, that's not going to happen).
The best course of action?
Update your laptop/phone/tablet every time it requests you to do so. Don't click "Remind me later" for two weeks like you normally would.
That's because there is a fix for this WPA2 flaw. Developers were notified of this problem back in July, Vanhoef said, and at least one (OpenBSD) has already released a patch. Microsoft put out its patch on Oct. 10, U.S. CERT says. Apple also has said a fix is coming.
So update, update, update.