You might have heard some doom-and-gloom news this morning: a researcher has finally figured out how to compromise the WPA2 encryption algorithm, the world's most popular WiFi encryption and almost everyone is vulnerable.

There is however, no reason to panic. It's patchable, the scripts to exploit devices are not in the wild, and many devices have already received updates. You'll probably hear a lot over the next few days that WiFi is "broken beyond repair" but it's not entirely true.

Called "Krack attacks" the new exploit affects the WiFi standard itself and allows an unauthenticated attacker to steal data from your network. It's not an easy hack, but it's one of particular concern because we can't just switch away from WPA2 like the last time when WEP was compromised and we all ran away.

Yes, this is bad... but the good news is it's also entirely addressable as per the FAQ:

Do we now need WPA3?



No, luckily implementations can be patched in a backwards-compatible manner. This means a patched client can still communicate with an unpatched access point, and vice versa. In other words, a patched client or access points sends exactly the same handshake messages as before, and at exactly the same moments in time. However, the security updates will assure a key is only installed once, preventing our attacks. So again, update all your devices once security updates are available.

Behold, a video demonstrating how this affects an Android device in the wild which are the most widely/adversely affected mobile devices:

The implications of this new attack are pretty scary sounding, and the news is still developing but a few things are fairly clear:



Almost every mobile/desktop device on the planet is affected and needs patching

Fixing IOT devices and Android devices which rarely see updates anyway is going to be difficult at best

Your router will need a software update at some point

Nobody will know how to update their router, or how to check if it's patched

If you're looking for an explanation of how this attack works, why it evaded detection for so long and even more detail you can find it here. Looking for someone to blame? Here's where to look, according to the same article:

If you’re looking for someone to blame, a good place to start is the IEEE. To be clear, I’m not referring to the (talented) engineers who designed 802.11i — they did a pretty good job under the circumstances. Instead, blame IEEE as an institution.

The long short of all of this is: you're definitely affected in some way, it just depends on which devices you use as to how to protect yourself. The most important thing to do is check if all of your devices can be patched immediately: not just your router, but whatever you're using to get online too.

To be clear, however, the reason this matters is because the data transmitted by any of your devices could now be exposed and attackers don't need to be on the same network as you. Just patching your router won't get you out of trouble, sadly.



Looks like router fixes aren't for the main issue. They're pushing fixes for the other issues in the paper. The critical one is a client patch.

— Graham Spookyland 🎃 (@gsuberland) October 16, 2017

I thought I'd try keep track of the first companies to push fixes out for this on both the router side and the client side.

Below you'll find a manually-updated list of every patched system I've found so far. Say hey in the comments if there's anything new not listed here, or if there's an obvious error.

Firmware patch status

✅ = Available for download and patched.

⚠️ = Fix pending release or in beta.

❌ = No known fix



There's also an exhaustive (kind of hard to read) list available here, on the CERT website addressing the vulnerability.



If you find any other companies with fixes out already, let me know in the comments or on Twitter.

If you want help with your security in general there are some fantastic instructions here on how to protect yourself.

Last update: 01:23 PM Oct 31 (ET) — Added Apple's announcement about iOS 11, ChromeOS.

08:47 AM Oct 17 (ET): Reformatted as table for readability, added Sonos + Nest along with other major IOT vendors.

Update: 07:05 AM Oct 16: Added information about Raspberry Pi.

Update: 01:40 AM Oct 16: Added information about iOS updates, Eero and major IOT vendors.