This may help further discussion and allay some of our fears unless I am misunderstanding something.
Attacker must be within WiFi network range
The attack works only if the attacker is in the victim's WiFi network range, and is not something that could be carried out via the Internet.
HTTPS may also protect user traffic in some cases, as HTTPS uses its own separate encryption layer. Nonetheless, HTTPS is not 100% secure, as attacks exist that could downgrade the connection and grant the attacker access to HTTPS encrypted traffic
The KRACK attack is universal and works against all type of devices connecting or using a WPA2 WiFi network. This includes Android, Linux, iOS, macOS, Windows, OpenBSD, and embedded and IoT devices.
The attack allows a third-party to eavesdrop on WPA2 traffic, but if the WiFi network is configured to use WPA-TKIP or GCMP encryption for the WPA2 encryption, then the attacker can also inject packets into a victim's data, forging web traffic.
Patches take time to produce and test!
Windows and Linux systems already have a patch out. (Updated my Linux box a few hours ago)
Android and Apple devices will take a couple of weeks as well .
As for routers. Netgear have a patch for *some* of ther devices and others will be rolled out on the coming weeks. Other makers are somewhere between "got a patch about to roll out" and "well have one in a few weeks or so."
BT will have to wait to test any patch to make sure it does not cause more problems than it solves in their devices...
The security expert that found the vulnerability shared his findings several weeks ago, well in advance of the public announcement.
BT had all the time they needed to prepare a patch if they wanted; no excuse for ignoring the security risk, waking up last moment and suggesting they need time to fix their products.
Others vendors managed to be ready by the time of the public announcement, what's the excuse for BT lack of action?
There's a list of affected vendors here http://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=228519&SearchOrder=4
From the dates given there the security researcher who found the vulnerability told the vendors about it on 28th August, closer to 2 months ago than 1 month. So plenty of time to produce a patch, as quite a few have. And certainly time to let customers know what the situation is. So why nothing fom BT?
Did you read mine? How is having nearly two months notice to produce a patch having to produce it 'instantly'? We don't know if they even need to produce a patch. It would be nice to know one way or the other.
I spoke to BT help desk, they told me that the hubs were auto updated with a fix. My hub says it's running "Software version 126.96.36.199.188.8.131.52.2 | Last updated 14/07/17" which doesn't fall in line with the engineers notifying companies 2 months ago.
The rep didn't have many details for me but I've asked them to comment in this thread and make users aware of major security fixes so we don't have to hear about such news from tech blogs first. Hopefully, they'll be able to share more information soon.
The BT hub like most home routers is based on linux underneath so the underlying linux tools will need to be updated, whoever does the firmware would then need to validate, integrate and test the update. All of that takes time. The problem as well is any patch will basically break the protocol specification and move the devices outside of the published protocol specification as knowing standards bodies it will take months to fix the protocol specification.
Any patch will potentially impact interoperability of wireless networked devices, its far easier to test and roll out a patch to the client devices to work around this issue than to push out a fix for routers and wireless access points, as its far more likely old legacy client machines and IoT things will break that a semi modern WAP or router.
For those on the forum who need a plain description of the WPA2 (krack) implications, this is a decent description.
I have been in contact with BT and they say that they are working on a security fix to roll out to the home hubs.
They do not have an expected delivery date yet.
I've suggested that they shoud post something on here and email their customers.
The best advice I can find at the moment is to treat your home network as though it were a public Wi-Fi network.
If you hard wire to your home hub and disable Wi-Fi it would defeat the vulnerability - but your wireless devices won't work. So this isn't really practical.
Just hard wiring your PC to the hub doesn't really help much if any of the other Wi-Fi devices have already been compromised by malware (they would still see unencrypted traffic).
Using a HTTPS or a VPN is a good way to protect yourself, but that doesn't help protect against malware on devices like TV's and Set Top Boxes that can't run a VPN client.
Make sure that you only use apps downloaded from a reputable source. Keep your devices patched. Run a decent security package.
This is a very messy problem. It will take a while to go away.