Update: added new information based on disclosed vulnerability

Their paper "Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2" will be formally presented on November 1st at the ACM Conference on Computer and Communications Security, but details on this vulnerability were publicly revealed on October 16th.

The vulnerability, called KRACK (Key Reinstallation AttaCK), is found within the 4-way handshake process which takes place when a device attempts to connect to a wireless network. This process involves generating unique single-use numbers to secure the connection between the device and the wireless access point. As it turns out, due to a weakness in WPA2, by repeatedly re-transmitting the third message in the handshake, an attacker can force this single-use number (called a nonce) to be reused, which may significantly weaken the encryption for traffic between Wi-Fi access points and devices connecting to them.

This vulnerability affects all versions of WPA2 security, including those using AES-CCMP. While some routers and other may receive updates against KRACK, many will be left unpatched.

Since this problem is bigger than just one individual router's WPA2 implementation, but is instead a flaw in WPA2 itself, it leaves many devices at risk – currently, most implementations of the protocol, especially on Linux and Android versions after 6.0 are vulnerable. Funnily enough, due to incorrectly implementing the standard, iOS and Windows, while still at risk, are less vulnerable.

So, what does this mean for you, the end user? Your Wi-Fi is now quite possibly just a few days away from being as secure as that open hotspot in your local coffee shop. A potential attacker, given enough time, will be able to eavesdrop on whatever is being sent on your Wi-Fi network and if your wireless network is using earlier versions of WPA, possibly even hijack connections – doing things such as inserting content on insecure websites. Your Internet of Things devices – things like smart cameras, smart lights, and so on – which are already known for being quite insecure, are now even more vulnerable, since even devices that were not directly connected to the internet may now be exposed to danger.