Recently, a whole raft of security flaws have been found that impact all Wi-Fi devices, including smart phones, IoT devices, and personal computers going back as far as 1997. This unfortunately means that almost every Wi-Fi device in use today is vulnerable.
Collectively, the attacks associated with these issues have been dubbed FragAttacks.
Mathy Vanhoef, of the University of Abu Dhabi, and the researcher who discovered FragAttacks had this to say about them:
“Experiments indicate that every Wi-Fi product is affected by at least one vulnerability and that most products are affected by several vulnerabilities.
The discovered vulnerabilities affect all modern security protocols of Wi-Fi, including the latest WPA3 specification. Even the original security protocol of Wi-Fi, called WEP, is affected. This means that several of the newly discovered design flaws have been part of Wi-Fi since its release in 1997!”
If there’s a silver lining to be had, it lies in the fact that an attacker needs to be within the Wi-Fi range of the device targeted in order to execute the attack and either inject malicious code or steal sensitive data. However, if the attacker is in range, it’s entirely possible for him to take complete control of the target device.
Vanhoef also notes that the flaws are somewhat difficult to abuse because they rely on network settings not commonly used, which, combined with the first point does offer a measure of protection.
Nonetheless, this is about as serious as it gets, but fortunately, vendors are already in the process of developing patches to address the issues.
The patches are being tracked as follows:
- CVE-2020-24588
- CVE-2020-24587
- CVE-2020-24586
- CVE-2020-26145
- CVE-2020-26144
- CVE-2020-26140
- CVE-2020-26143
- CVE-2020-26139
- CVE-2020-26146
- CVE-2020-26147
- CVE-2020-26142
- CVE-2020-26141
Finally, note that there’s no evidence at this point that any of these attacks are being used in the wild. Even so, these flaws represent a serious point of weakness. Until patches are developed and deployed, researchers recommend disabling fragmentation, disabling pairwise rekeys and disabling dynamic fragmentation in Wi-Fi 6 (802.11ax) devices.