New Wi-Fi Flaws Revealed - Actually Quite Old

(Image credit: Shutterstock)

Widespread flaws affecting Wi-Fi have been disclosed to the public by security researcher Mathy Vanhoef nine months after he tipped the Wi-Fi Alliance off about the problem. The vulnerabilities, reported by Gizmondo from a site set up by Vanhoef exploit mistakes in the implementation of Wi-Fi standards, and can affect any Wi-Fi device no matter how old, and running any level of security including WPA 2 and 3. 

The ‘fragmentation and aggregation attacks’ - FragAttacks for short - are 12 different vulnerabilities that see Wi-Fi devices leak user data if probed in the right way. Three of the flaws are baked into the Wi-Fi standard itself, while the others flow from programming errors in specific products. The flaws have likely been lurking since Wi-Fi was first released in 1997, as even the venerable WEP protocol is vulnerable - though you really should have moved on from WEP by now, as it’s easily broken

By taking advantage of the way some routers accept plaintext during handshakes, for example, or the way some networks cache data, intruders could intercept personal data, or even direct users to fake websites. Vanhoef talks us through the attacks in this YouTube video, remotely controlling a smart plug and compromising an outdated Windows 7 PC.

(Image credit: Shutterstock)

“The biggest risk in practice,” Vanhoef writes, “is likely the ability to abuse the discovered flaws to attack devices in someone's home network. For instance, many smart home and internet-of-things devices are rarely updated, and Wi-Fi security is the last line of defense that prevents someone from attacking these devices. Unfortunately, due to [these] vulnerabilities, this last line of defense can now be bypassed.”

There is some good news, however: most of the flaws are hard to exploit, patches are available for many devices, including three from Microsoft going all the way back to Windows 7, and from all major router manufacturers (though not all models have received new firmware yet). At the time of writing Vanhoef said he wasn’t aware of any attacks in the wild using the exploits. This could be a good time to ditch your service provider’s router for the latest and best routers.

Ian Evenden
Freelance News Writer

Ian Evenden is a UK-based news writer for Tom’s Hardware US. He’ll write about anything, but stories about Raspberry Pi and DIY robots seem to find their way to him.

  • mikeebb
    Considering that the major cable & phone ISPs probably won't upgrade that equipment they rent to you, whether or not you actually use it, getting a new router from them, or even updated firmware, is dreaming. Yes, once the fixes are applied, getting a different router with them and turning off all but gateway functions in the ISP router would be a good idea. And, probably, one should change the wifi password periodically, though with potentially hundreds of devices connected that could be a real pain to propagate through a basically unmanaged home network.