KRACK, a flaw in Wi-Fi security protocol WPA2, leaves traffic open to eavesdropping, connection hijacking, and malicious injection; US CERT advisory issued.
Report by Ars' Dan Goodin.
Official Website: https://www.krackattacks.com/
Attack is a nonce reuse attack on 4-way handshake
Attack does NOT allow the attacker to recover the Wi-Fi password
Attack DOES allow the attacker to intercept/decrypt/inject packets (i.e. perform a full MITM attack on a connected client)
Attack primarily leverages client-side vulnerabilities so patching the access point won't magically fix this (client side patches are needed for each device using Wi-Fi)
Kenn White describes it as a "core protocol-level flaw in WPA2 wi-fi"... which sounds bad.
CVE's were assigned in August, so hopefully there are mitigations in place (if possible).
Look for CVE-2017-13077, 13078, 13079, 13080, 13081, 13082, 13084, 13086, 13087, 13088 when details become available.
Two articles that list patches already available:
Follow @vanhoefm for the official drop.