New FragAttacks Wi-Fi Bug Leaves Millions Of Devices Vulnerable, Patch Now
A researcher who has helped shaped Wi-Fi security has once again discovered a series of vulnerabilities affecting all Wi-Fi devices dating back to 1997. Fortunately, many of the security holes are difficult to exploit, and according to the Wi-Fi Alliance, it does not appear as though hackers are leveraging the security holes in the wild.
That could change at any time, of course, especially now that these vulnerabilities have been publicized. Belgian security researcher Mathy Vanhoef has collectively dubbed the security holes as FragAttacks, because they are fragmentation and aggregation attack vectors. According to Vanhoef, an attacker that is within radio range of a device can exploit the vulnerabilities to steal a victim's information, or otherwise compromise their wireless gadget.
"The biggest risk in practice is likely the ability to abuse the discovered flaws to attack devices in someone's home network. For instance, many smart home and internet-of-things devices are rarely updated, and Wi-Fi security is the last line of defense that prevents someone from attacking these devices," Vanhoef explains.
He posted a video demonstrating three of the attack vectors...
Vanhoef says it is "hard to abuse" the inherent Wi-Fi design flaws outlined, because it requires user interaction and can only be accomplished when using uncommon network settings (the attacker also has to be within radio range of the victim's device). For those reasons, the biggest threat amounts to "programming mistakes in Wi-Fi products," as several of the bugs are trivial to exploit. Still, he says the discovery of these flaws "comes as a surprise," as Wi-Fi security in general has improved over the years.
Many of the vulnerabilities relate to being able to inject maliciously crafted aggregated plaintext frames to wireless devices. In doing so, an attacker could direct a device to a malicious DNS server without user interaction.
Scary stuff, though the Wi-Fi Alliance says "these issues are mitigated through routine device updates that enable detection of suspect transmissions or improve adherence to recommended security implementation practices." In addition, companies have begun patching these newly discovered flaws.
Therein lies the rub, though. Not all device makers are great about doling out security patches in a timely manner, particularly when it comes to Internet of Things (IoT) devices. That doesn't mean you should throw your hands up in the air and hope for the best, though.
Both Cisco and Juniper have patches available. In addition, Microsoft has already pushed out patches, and the Linux community is working on one as well. Your best bet is to make sure your OS is fully updated, and also check for firmware and software upgrades for all your wireless devices, including your Wi-Fi router, smartphone, and so forth.