A few days ago, a Belgian security researcher, Mathy Vanhoef, has found, and named as “FragAttacks (fragmentation and aggregation attacks)”, a dozen of unknown security flows affecting Wi-Fi devices.
Within radio range of a victim, a threat actor can exploit them to steal user information or attack devices.
The report has found that at least three of the discovered vulnerabilities are design flaws in the Wi-Fi standard and affect most devices, as a result.
Moreover, the discovery has found that are caused by widespread programming mistakes in Wi-Fi products.
However, these flows are very complex to exploit giving their design and mitigation measures are already in place.
Find out more on our blog!
FragAttacks: vulnerabilities involved
The research have discovered that all modern Wi-Fi security protocol – no exception for the latest WPA3 – may be vulnerable to hacks.
Besides that, there is an even worrying news. The vulnerabilities found also affect the WEP security protocol, the original security Wi-Fi protocol. This essential means that devices using Wi-Fi connections has been exposed since 1997.
However, you should not despair. The good news that the exploiting these security flows may result very hard giver their complex design.
The main concern of the report is indeed fixing those programming mistakes at the base of the flow themselves in Wi-Fi products.
To protect users, security researchers have performed a gradual disclosure of details concerning these vulnerabilities. This operation lasted 9-month and Wi-Fi Alliance and ICASI coordinated it.
As a general recommendation, you should update every device you own as soon as possible to minimize risks.
If updates are unavailable, you can still mitigate some of the attack by limiting your visits to HTTPS websites.
Mathy Vanhoef has also released a demo to show how can an adversary exploit such vulnerabilities.
It suggests that hackers may abuse them in two ways. First, they may lead to sensitive data stealing. Second, it may allow hacking of devices connected to the same network in someone’s home or workplace.
This second option is the greatest risk, as homes and offices are full of non-updated IoT device whose last line of defense is Wi-Fi security itself.
You can watch it on this link.
To conclude, the research work undergone by Mathy Vanhoef has taught us an important lesson.
Regular analysis of security protocol is critical. Also, testing of Wi-Fi products and active search for flows is essential. Certifying them may be a useful solution to these problems.
For more information, we redirect our readers to Mathy Vanhoef’s blog to dig this sensitive matter further.