For that reason, users may want to be wary of using Wi-Fi at all until patches are widely rolled out. For now, it looks as if some manufacturers are pushing out updates, which should go some way to preventing attacks. Note that devices such as laptops and smartphones will require updates as well as routers. Indeed, Vanhoef said it's more urgent for general users to patch their personal devices, whether phones, PCs or any smart device, be they watches, TVs or even cars. He recommended users get in touch with the relevant vendors to find out when patches are coming.
Given the range of devices affected, it's almost guaranteed patches won't make it to everyone. The US Computer Emergency Response Team (CERT) has released an advisory, which notes a number of affected vendors, including Cisco, Intel and Samsung, amongst many other major tech providers.
A range of vendors have promised updates are already available or will be soon. A Google spokesperson wrote in an email to Forbes: "We're aware of the issue, and we will be patching any affected devices in the coming weeks."
Microsoft confirmed it had rolled patches out already: "We have released a security update to address this issue. Customers who apply the update, or have automatic updates enabled, will be protected."
Cisco also said it had published a security advisory to detail which products are affected, and a blog to help customers better understand the issue. "Fixes are already available for select Cisco products, and we will continue publishing additional software fixes for affected products as they become available," a spokesperson said.
Intel confirmed it was "working with its customers and equipment manufacturers to implement and validate firmware and software updates that address the vulnerability." It also released an advisory.
And Apple confirmed it has a fix coming for its Mac and iOS operating systems that's currently in the betas for its next software updates. Those will land in the next few weeks.
Some good news
There's some good news: truly remote attacks won't be possible with this hack alone. In the most likely attack scenario, the hacker would have to directly connect to the Wi-Fi access point, and so would need to be within physical proximity to the device (possibly up to a few hundred feet away depending on whether they had access to antennas to extend their reach). "This attack doesn't scale," noted Alan Woodward, encryption expert from the University of Surrey. "It's a very targeted attack. Not like we're all going to be hit as attackers can only be in so many Wi-Fi zones at once."
But Woodward did have words of caution, especially for businesses: "The reason this is so worrying, and why everyone is so interested, is that many (including large organisations) assume their [local Wi-Fi network] is a trusted environment. For example, some don’t require authentication on network resources. If that boundary is now easily breached then there would need to be a lot of rethinking about threat models.
"This is the sort of flaw that the security community dreads: it is not about a single vendor having messed up a particular implementation but rather a fundamental flaw in the way the protocol was specified. Even those that have implemented the standard correctly will have baked in this flaw."
The research appears to have been built on previously-released findings from July, when Vanhoef and colleagues discussed issues with Wi-Fi security at the Black Hat conference in Las Vegas. They've released the research paper in full on their dedicated KRACK attack website.
For those users whose routers, PCs and smartphones don't yet have updates, there are some measures they can take to protect their online privacy. A Virtual Private Network (VPN) software could protect them, as it will encrypt all traffic. Only using HTTPS encrypted websites should also benefit the user, though there are exploits that can remove those protections. Changing the Wi-Fi password won't prevent attacks, but it's advisable once the router has been updated.
Vanhoef is promising more too. Though he admitted some of the KRACK attacks would be difficult to carry out, he's to release more information on how to make them significantly easier to execute, especially for Apple's macOS and the OpenBSD operating system.
Got a tip? Email at TFox-Brewster@forbes.com or email@example.com for PGP mail. Get me on Signal on +447837496820 or use SecureDrop to tip anyone at Forbes.