Billions of devices vulnerable to Wi-Fi "FragAttacks" — what to do

Billions of devices vulnerable to Wi-Fi "FragAttacks" — what to do

Nearly all Wi-Fi enabled devices, including PCs, Macs, iPhones, Android phones, most routers, and smart home devices, have up to 12 serious security flaws, according to Belgian security researchers. update, but most other devices will have to wait for patches.

Mathy Vanhoef, who co-discovered the KRACK flaw prevalent in Wi-Fi in 2017, groups these 12 new flaws under the name "FragAttacks." He has put a huge amount of documentation online to describe the flaws, including a website dedicated to FragAttacks, academic research papers, presentation slideshows, two YouTube videos, and software tools to detect vulnerable devices.

In brief, FragAttacks, some dating back to the first version of Wi-Fi in 1997, allow nearby devices "within wireless range" to attack Wi-Fi networks, stealing information and sending devices to bad places online.

Particularly vulnerable, Van Hoff says, are smart home devices that have difficulty receiving software updates; all Wi-Fi security protocols, including WEP, WPA2, and WPA3, can be breached by at least some of these attacks.

"All Wi-Fi products are affected by at least one vulnerability, and most are affected by multiple vulnerabilities," Vanhoef wrote on the FragAttacks website.

"The discovery of these vulnerabilities is surprising, as Wi-Fi security has improved significantly over the past few years.

As far as Vanhoef knows, none of these flaws have been exploited by malicious hackers. However, the possibility that some of the more device-specific flaws have already been discovered and exploited cannot be ruled out.

Below is a video of Vanhoef using one of these flaws to attack a Mac, forcing the Mac to connect to a rogue Wi-Fi network and sending it to a potentially malicious website.

In a security update yesterday (May 11), Microsoft patched Windows 10, Windows 8.1, and Windows 7 against the three most common FragAttacks flaws. Update your Windows devices now.

Enterprise networking hardware makers Cisco and Sierra Wireless are planning patches, and rival Juniper Networks has already released several.

Among consumer router makers, Netgear has an advisory page and says firmware updates are already available for some of the routers listed on that page. The company adds that it is "developing and testing additional firmware fixes and will release them as soon as they become available."

No patches appear to be available yet for Macs, iPhones, iPads, Android devices, or other major brands of home Wi-Fi routers. (We checked a recent security advisory.) We will update this article as more information becomes available.

In the meantime, Vanhoef says, you can protect yourself by making sure you have a strong, unique Wi-Fi network password and only connect to websites that have the HTTPS encryption protocol enabled by default.

The latest version of Chrome (and Edge and Brave as well) enforce HTTPS connections whenever possible. For other browsers, Vanhoef recommends the HTTPS Everywhere plugin. If you are fairly technically savvy, you can manually configure your router's DNS to prevent it from being changed by others.

Vanhoef states in his online slideshow that the good news is that "widespread flaws [are] actually relatively tricky to exploit" and easily exploitable flaws are "not really widespread."

The most serious flaws are "programming errors" in certain Wi-Fi devices and software implementations, he states on the FragAttacks website. He refuses to reveal the affected products, but suggests that there are many of them.

[UPDATE: Devices affected by the flawed software implementation include Samsung Galaxy S3 smartphones, Windows driver software for the Alfa Wi-Fi dongle, and Linux, NetBSD and OpenBSD kernels The company is said to be ]

"The impact of our findings depends on the specific target," Van Hoff wrote. For some devices the impact will be minor, while for others it will be disastrous."

Van Hoff has been working with the Wi-Fi Alliance, the Industry Consortium for the Advancement of Security on the Internet, and various vendors for the past nine months to implement fixes for these flaws. He has been working on this.

He will present his findings at the USENIX Security and Black Hat USA conferences in August, and you can already watch a 12-minute USENIX presentation on YouTube.

.

Categories