WPA2 Broken - IPVM Discussions

Summary from full description posted by researchers:

The attack described exploits the fact that networks, particularly wireless ones, are unreliable and data sometimes needs to be retransmitted. In this case, data exchanged during the initial handshake between the client and the router/AP to negotiate the connection is the target of the attack. A client can be tricked into reusing a previous encryption key by retransmitting data during this initial connection setup. That makes it easier for the attacker to decrypt new traffic that is reusing the same key, by analyzing the encrypted data of the original key use and the new key use.

Android and Linux clients are higher risk/easier to target because of the way they handle cases of encryption key retransmission during setup negotiation, though all Wifi clients are vulnerable to this attack.

The attack does not reveal the wifi password, so an attacker can not get full access to the wifi network itself through this attack.

This attack mostly exploits the client side of the connection, and while routers ideally should be patched, if your client's wifi stack is patched you should be safe from this vulnerability. These patches would need to come from the device and/or OS vendor.

Using other mechanisms of securing your data in transit over Wifi (e.g.: HTTPS, SSH tunnel, VPN, etc.) would generally make this vulnerability very low concern/risk.