If you read any tech websites besides Android Police, you may have already heard about 'KRACK.' That's the name for a serious security vulnerability that affects virtually every device supporting Wi-Fi connections - including Android.
I'll do my best to explain in a way that doesn't leave you confused and/or bored. If you're not familiar with how Wi-Fi operates, most locked networks use the WPA2 protocol for security. There are a few older standards, like WEP and WPA1, but they have largely fallen out of use due to the massive number of ways to break into them (especially WEP). You can safely assume that 99% of the locked Wi-Fi networks you come across are using WPA2.
Security researcher Mathy Vanhoef at KU Leuven discovered a critical vulnerability in WPA2, which was published earlier today. According to his report, it is possible to use a Key Reinstallation Attack (KRACK) to decrypt network traffic, thus exposing much of the user's online activity. This is possible because when a device connects to a WPA2 network, a '4-way handshake' occurs where an encryption key is generated. That key is used for all subsequent traffic, but KRACK forces an old key to stay in use.
I recommend going to the source link below if you want the full technical explanation, but in summary, using an existing key opens up users to possible man-in-the-middle attacks. This allows the hacker to see most internet traffic, except data sent over HTTPS. However, KRACK can be used in conjunction with software that disables HTTPS on sites that have not set up HTTPS correctly (as seen in the above video). Many sites and apps will revert to non-secure HTTP when HTTPS is not working, making things worse.
As mentioned above, virtually every device and operating system that uses Wi-Fi is vulnerable to this attack right now. This includes Android, and to rub salt in the wound, another security researcher found that wpa_supplicant (the Wi-Fi client used by Android and most Linux distributions) is even easier to break into due to other issues. According to the report, Android 6.0 and higher is vulnerable.
There is some good news, believe it or not. This can be patched with a simple software update, but only on the client side. In other words, the fix has to be applied to every device you connect to your network, and a router/access point update won't address the problem (unless an access point is running as a client, for example as an extender).
As for Android devices, Google says that anything running the November 6 2017 security patch level will be protected. That patch hasn't been released yet, and even when it does, it will likely take months to reach major devices. There's no word on when updates for Chrome OS, or for Google's own Wi-Fi routers/access points, will arrive. Information about updates for other access points and devices can be found here.
- KRACK Attacks