The KRACK attacks vulnerability has been discussed in detail on a number of technology-related sites, especially, cryptographyengineering.com, Linux.com, Lifehacker.com, and here is the published paper concerning this vulnerability.
Below is the summary of the attack and suggested fixes as extracted from Linux.com blog:
- A flaw in the WPA2 wireless handshake protocol allows attackers to sniff or manipulate the traffic between your device and the wi-fi access point.
- It is particularly bad for Linux and Android devices, due either to ambiguous wording in the WPA2 standard or to misunderstanding during its implementation. Effectively, until the underlying OS is patched, the vulnerability allows attackers to force all wireless traffic to happen without any encryption at all.
- This vulnerability can be patched on the client, so the sky hasn’t fallen and the WPA2 wireless encryption standard is not obsoleted in the same sense that the WEP standard is (do NOT “fix” this problem by switching to WEP).
- Most popular Linux distributions are already shipping updates that fix this vulnerability on the client, so apply your updates dutifully.
- Android will be shipping fixes for this vulnerability Very Soon. If your device is receiving Android security patches, you will receive a fix before long. If your device is no longer receiving such updates, then this particular vulnerability is merely another reason why you should stop using old, unsupported Android devices.