The above video shows how a Man in the Middle attack is easily mounted against a user connected to the system, intercepting the data flow as if it weren’t encrypted. Although a properly set up website with https (SSL) encryption will still hide a users data, an improperly set up site will not protect the user.
It is possible that a user will go to a site, see that it is protected by the classic lock symbol appearing on the URL line of the browser, then get hacked while thinking they are securely passing credit cards, email addresses, password and other information. The video shows Match.co.uk being broken.
The discoverer of the attack says in his paper that the problem is a weakness in the WiFi standard itself, not any particular product. See: Breaking WPA2 by forcing nonce reuse
Updates will be required on all devices; routers, phones, portable computers, whether Android or Apple or Samsung or Cisco or Belkin or Linksys or Debian or Ubuntu or any of the suppliers of chips like Broadcom or …well, everyone. There is a site tracking information on these companies: https://www.bleepingcomputer.com/news/security/list-of-firmware-and-driver-updates-for-krack-wpa2-vulnerability/
Other articles:
https://www.schneier.com/blog/archives/2017/10/new_krack_attac.html
What is the good news? First, trusting a wifi network has always been hit or miss. A poorly set up system would allow me to break into your computer on the other side of the room…or at least have a chance of it. So, now more people will be wary.
Another good point is that equipment which does not get patches out quickly – I’m thinking 3rd party Android phones from smaller suppliers for example, they are going to be known for the bad actors that they are.
Finally, I suppose it will get more of us onto VPN, where a good tunnel still works. Yahoo! more things to know…
=-=-=
There is another crack that just hit the public as well, this one called ROCA. It has to do with a horror for the many who have used a particular bed of generator numbers to fulfill the promise of randomness when generating public keys.
We all know public key encryption, yes? The attack is on public key encryption. Too detailed to make a simple summary article. But it is a condemnation of keeping things hidden as a method for security – what’s called “Security Through Obsurity”. When it is open and public, we can all see if there are hooks for the bad guys or the government (redundant?), or just plain errors a lot sooner. Here’s is the detailed Technica article about it:
Millions of high-security crypto keys crippled by newly discovered flaw