Apparently, there's a major vulnerability in WPA2

https://www.krackattacks.com/

In case you haven't seen it on reddit/the news yet. Whoops! This might be trouble.

Its a client side attack, so it's easily patched.

@rigas: Isn't it a fundamental issue with the WPA2 protocol, and integrated into a whole range of devices that aren't easily patched?

Some more reading for those who are interested.

https://doublepulsar.com/regarding-krack-attacks-wpa2-flaw-bf1caa7ec7a0

My director of cyber in his office today...

@fisk0: from what i've been able to understand- it affects both access points and client-side devices, so they're advising consumers to focus on patching their devices (smartphones, tablets, pcs, etc) as updates come in. although i'm sure it wouldn't be a bad idea to check in on your modem/router firmware over the next few weeks if that's an option for you.

from the krackattacks FAQ:

What if there are no security updates for my router?

Our main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients. So it might be that your router does not require security updates. We strongly advise you to contact your vendor for more details. In general though, you can try to mitigate attacks against routers and access points by disabling client functionality (which is for example used in repeater modes) and disabling 802.11r (fast roaming). For ordinary home users, your priority should be updating clients such as laptops and smartphones.

microsoft already has something in the works.

it's also worth mentioning that a hacker would need local access to the wifi- so while public/semi private spaces are sure to be a shitshow, your home wifi (presumably) isn't as accessible and therefore vulnerable.

This actually isn't that big of a deal for the average person.

Might explain why we had those emergency Cisco patches a few weeks back.

of this website? sure. but in my experience the average person doesn't update anything, ever.

Sigh, I imagine the chances of my lowest level Android phone getting patched for this are somewhere between jack and shit. It's my phone I'm most worried about.

He's right though... even if they don't, this is something that requires a targeted attack (someone very skilled, spending their time, & sitting in range of your device). It's not a big deal for the average consumer or home user.

@zombievac: Given how many conferences happen this time of year, there's plenty of reason for concern for average users.

I think that's the case with a lot of people, with how garbage updates are with most Android phones. So my solution to patching my three year phone is to...get a new phone??

Good to see that Netgear rolled out a patch for this on the same day. They seem pretty solid.