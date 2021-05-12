A security researcher has discovered a number of vulnerabilities that affect the Wi-Fi standard. Some of the errors date back to 1997 and involve a wide range of devices marketed over the last 24 years. This includes routers, IoT devices, smartphones, and more.

Study author Mathy Vanhoef explains that the vulnerabilities, known as “fragmentation attacks,” allow attacks to be carried out within Wi-Fi radio range. The computer perpetrators can run malicious code on affected devices and steal user data.

Devices are also exposed to possible attacks even if they are connected to a private network with a password, for example with WEP and WPA systems. However, according to Vanhoef, the flaws are difficult to exploit because it “requires user interaction or is only possible when using unusual network configurations”.

The Wi-Fi standard, more than two decades with security flaws



Mathy Vanhoef explains vulnerabilities in the Wi-Fi standard

The researcher indicates that tSeveral of the vulnerabilities discovered correspond to flaws in the design of the Wi-Fi standard and, consequently, “affect most devices.” Other vulnerabilities are related to “programming errors” in the implementation of the standard in various products.

The explanation of the vulnerabilities in detail requires a broad breakdown of technical elements that can be consulted on the Vanhoef blog. One of the vulnerabilities consists of the injection of an unencrypted frame into a protected Wi-Fi network. This could intercept the victim’s traffic, tricking them into using a malicious DNS server.

Another vulnerability can be exploited by exchanging a flag without authentication within a frame. This would allow “injecting arbitrary network packets by tricking the victim into connecting to your server.” It is basically about opening a door to other types of potential attacks.

Vanhoef has shared his research with the Wi-Fi Alliance. As a consequence of this, the organization that promotes and certifies Wi-Fi products has been working with vendors to address the failures. Some of them have already been released, while others are in the works.

Photo by Stephen Phillips – Hostreviews.co.uk on Unsplash

Wi-Fi Alliance ensures that «there is no evidence that the vulnerabilities are being used maliciously against users«. They also recommend keeping devices updated to improve security. The Industry Consortium for the Advancement of Internet Security (ICASI), for its part, has issued a statement listing the issues.

Microsoft has released patches that fix 12 Wi-Fi bugs in its Windows operating system. Patches for Linux, according to ZDNet, are on the way. Companies such as Cisco, Juniper Networks, Sierra Wireless, and HPE are also working to address these issues.

