Newly discovered Wi-Fi vulnerabilities affect most devices, but risk is small

A security researcher with a solid track record in discovering Wi-Fi vulnerabilities has discovered new ones, some of which are part of the core security protocols of the Wi-Fi standard, so are present in virtually every device from 1997 onwards.

The flaws could be exploited to steal sensitive data, control smart home devices, and even take over some computers. There are, however, two pieces of good news. First, the real-life risks for ordinary users are very small. Second, it’s easy to protect yourself against even these small risks …

The issues were discovered by Belgian security researcher Mathy Vanhoef, who has made something of a name for himself by discovering flaws in Wi-Fi standards. These latest ones even affect WPA3, the latest and most secure standard.

This website presents FragAttacks (fragmentation and aggregation attacks) which is a collection of new security vulnerabilities that affect Wi-Fi devices. An adversary that is within radio range of a victim can abuse these vulnerabilities to steal user information or attack devices.

Three of the discovered vulnerabilities are design flaws in the Wi-Fi standard and therefore affect most devices. On top of this, several other vulnerabilities were discovered that are caused by widespread programming mistakes in Wi-Fi products. Experiments indicate that every Wi-Fi product is affected by at least one vulnerability and that most products are affected by several vulnerabilities.

The discovered vulnerabilities affect all modern security protocols of Wi-Fi, including the latest WPA3 specification. Even the original security protocol of Wi-Fi, called WEP, is affected. This means that several of the newly discovered design flaws have been part of Wi-Fi since its release in 1997!

Vanhoef has a video demonstrating three kinds of attack.

The video shows three examples of how an adversary can abuse the vulnerabilities. First, the aggregation design flaw is abused to intercept sensitive information (e.g. the victim’s username and password). Second, it’s shown how an adversary can exploit insecure internet-of-things devices by remotely turning on and off a smart power socket. Finally, it’s demonstrated how the vulnerabilities can be abused as a stepping stone to launch advanced attacks. In particular, the video shows how an adversary can take over an outdated Windows 7 machine inside a local network.

The real-life risks are small, as they rely on user interaction and network settings, which are not in common use.

You can maximize your protection by using HTTPS websites wherever possible, and using VPNs when on public hotspots.

HTTPS Everywhere is a way to force the use of HTTPS where it is supported by a website, even if their default web pages are the HTTP version. This is available for Chrome, Edge, Firefox, and Opera – but unfortunately not for Safari. It is already included in Brave and Tor browsers.

FTC: We use income earning auto affiliate links. More.


Check out 9to5Mac on YouTube for more Apple news: