The United States Computer Emergency Readiness Team has issued a vulnerability note for a major hole affecting the Wi-Fi Protected Access 2 standard that password-protects networks around the world.
The exploit was first publicized by Mathy Vanhoef of the Katholieke Universiteit Leuven in Belgium. It affects a four-party verification process where the user client connects to the access point, the client and the access point synchronize network credentials and then create and share a unqiue encryption key to protect the contents of web traffic.
The fault lies in the setting of encryption key. Hackers can intercept the process and manipulate it so that one pre-set key can be installed over and over again and that the packets of data, from banking info to information about many accounts, can be siphoned, easily decrypted and divulged. Forged packets can also be inserted into traffic, causing the installation of malware.
The Wi-Fi network password is completely irrelevant to this exploit.
Linux-based systems’ clients are especially vulnerable as an all-zero key can be planted. Android devices with version 6.0 or later have this client as well. However, traffic from Windows, iOS and macOS systems will still have plenty of penetration.
Vanhoef first published his whitepaper in May and began notifying manufacturers in July. CERT sent a notification to vendors in late August. And you can bet that all parties of good faith are working towards a patch.
Until then, check the website of your router’s manufacturer and see if there’s a firmware update you can send along. Bypass Wi-Fi by using your cell service or a walled Ethernet connection. Consider using a VPN full-time if you must use Wi-Fi. And, most importantly, don’t panic.