If an attacker is in range, he can use key reinstallation attacks (KRACKs) to exploit the weakness in the WPA2 protocol.
The disclosure by the government's Computer Emergency Response Team could potentially allow hackers to snoop on or take over millions of devices which use Wi-Fi. "We agree that some of the attack scenarios in the paper are rather impractical, do not let this fool you into believing key reinstallation attacks can not be abused in practice", says Vanhoef, who has authored a 16-page academic paper on the vulnerability along with Piessens.
This means that the hacker who is inside the physical range of one's WiFi network can crack the Wi-Fi password.
We all love to be connected on Wi-Fi, but the very same Wi-Fi that we are using has a serious vulnerability.
"During our initial research, we discovered ourselves that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others, are all affected by some variant of the attacks", he continued. While this makes the attack a lot riskier, it's little comfort considering how widespread WPA2 encryption is used.
Since the researcher claimed that most Wi-Fi supporting devices could be affected by the KRACK attacks, different tech giants reportedly came up with their own solutions to prevent their products from such occurrences. Microsoft says that it released a security fix on October 10, so anyone on the latest version of Windows 10 will be protected.
Also, the public announcement about this security weakness was held for weeks in order to give Wi-Fi hardware vendors a chance to produce security updates.
The Wi-Fi Alliance, an industry group, says there's no evidence that the vulnerability discovered by researcher Mathy Vanhoef has been exploited maliciously. Bleeping Computer posted a list of available patches and pledged to update it as new fixes appear. "Users can expect all their Wi-Fi devices, whether patched or unpatched, to continue working well together", the statement said.
Since the loophole is at the very basic level - the Wi-Fi standard itself - another cybersecurity expert Jiten Jain says users will have to wait for a firmware update for their routers and other devices.
Finally, consider browsing the Web with an extension or browser add-on like HTTPS Everywhere, which forces any site that supports https:// connections to encrypt your communications with the Web site - regardless of whether this is the default for that site.
Unfortunately, changing your passwords won't help this time around.