Any device using Wi-Fi Protected Access II (WPA2) encryption could allow nearby attackers to intercept and steal data transmitted across a Wi-Fi network, as it is reportedly vulnerable to newly discovered series called Key Reinstallation Attacks (KRACKs).
KRACKs that have been discovered by Mathy Vanhoef, a security researcher at a Belgian university, consists of 10 separate vulnerabilities and three keys in 4-way handshake: reinstallation of the pairwise encryption key (PTK-TK), reinstallation of the group key (GTK, and a reinstallation of the integrity group key (IGTK).
Vanhoef wrote in Krackattacks “An attacker within range of a victim can exploit these weaknesses using KRACKs. Concretely, attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted. This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. The attack works against all modern protected Wi-Fi networks. Depending on the network configuration, it is also possible to inject and manipulate data”.
“The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected. To prevent the attack, users must update affected products as soon as security updates become available. Note that if your device supports Wi-Fi, it is most likely affected.”
On being asked whether changing Wi-Fi password would help, Vanhoef answered “Changing the password of your Wi-Fi network does not prevent (or mitigate) the attack. So you do not have to update the password of your Wi-Fi network. Instead, you should make sure all your devices are updated, and you should also update the firmware of your router. Nevertheless, after updating both your client devices and your router, it’s never a bad idea to change the Wi-Fi password.”