WPA2 is fallen, winter is here
Proving once again that hackers security researchers are the reason we can't have nice things, the Key Installation Attack (KRACK) is loose in the wild and exploits an intrinsic weakness in the WPA2 protocol to let unsavory sorts do unsavory things.
How screwed are you?
That depends on who lives near you and how much you've pissed them off because as usual hacking WiFi networks requires the attacker to be physically close. On the down side, the short story is that there are no more secure wireless protocols.
- WPA2 GCMP, WPA2/WPA TKIP: attackers can decrypt your packets, steal your network key, and spoof your clients to switch to their access point for other nefarious man-in-the-middle attacks
- WPA2 CCMP/AES: attackers can decrypt your packets and spoof your clients to switch to their access point but can't steal your network key.
- WEP: completely cracked years ago, you are better off using WPA2 CCMP/AES.
The industrial and national espionage opportunities are more compelling than Eve going after Alice and Bob's home network traffic so some of you are more screwed than others. Authenticated WPA2 Professional still relies on the same underlying technology that has this intrinsic flaw. Additionally, some implementations are more susceptible to certain classes of attacks than others.
Problematically, the extremely-vulnerable wpa_supplicant implementation is at the heart of any Linux-based system including and especially embedded ones such as consumer WiFi routers, smart TVs, and pretty much any Internet of Things device. For a lot of these things you'll be lucky to ever see a firmware update.
The good news
This can be fixed by a minor revision to the WPA2 specification that's backwards-compatible with existing devices/software/whatever. Network traffic that's designed to operate over unsecure links is unaffected (e.g. https://, encrypted VPN). Read a Mickens about security and feel better.
The bad news
Any fix will require a patch, a lot of stuff won't get patched, and any unpatched device/software/whatever is an attack vector. Unsecure network services (e.g. everything not designed to operate on the raw Internet) are exposed to attackers on your network. An attacker on your network can turn all your stuff into zombies, access your open network shares, and otherwise do anything that someone you've given your network password can do.
Have a nice day, patch all your stuff, and don't forget to use AES.