The security researcher who discovered the Krack Wi-Fi flaw also discovered a slew of other flaws in the wireless protocol that most of us rely on to power our online lives (via Gizmodo). The vulnerabilities concern how Wi-Fi handles large amounts of data, with some relating to the Wi-Fi standard itself and others to how device manufacturers implement it.
Mathy Vanhoef, the researcher, calls the collection of vulnerabilities “FragAttacks,” a mashup of “fragmentation” and “aggregation.” He also claims that the vulnerabilities could be exploited by hackers, allowing them to intercept sensitive data or show users fake websites even if they are using WPA2 or WPA3-secured Wi-Fi networks. They could theoretically also take advantage of other devices on your home network.
The classification includes twelve different attack vectors, each of which works in a different way. One exploits routers that accept plaintext during handshakes, another exploits routers that cache data in certain types of networks, and so on. Vanhoef’s website contains all of the technical details about how they work.
According to The Record, Vanhoef notified the WiFi Alliance about the vulnerabilities that were built into the way Wi-Fi works so that they could be fixed before disclosing them to the public. Vanhoef claims he is unaware of any vulnerabilities being exploited in the wild. While he admits in a video that some of the vulnerabilities are difficult to exploit, he claims that others are “trivial” to exploit.
Vanhoef notes that some of the flaws can be exploited on networks using the WEP security protocol, indicating that they have existed since Wi-Fi was first implemented in 1997 (though if you are still using WEP, these attacks should be the least of your worries).
According to Vanhoef, the flaws are widespread, affecting a wide range of devices, implying that there will be a significant amount of updating required.
The problem with updating Wi-Fi infrastructure is that it is always a chore. For example, before writing this article, I went to see if my router had any updates and discovered that I had forgotten my login information (and I suspect I am not alone in this). There are also devices that are simply outdated, with manufacturers that have either gone out of business or are no longer releasing patches. If you can, keep an eye on your router manufacturer’s website for any updates that are available, especially if they are on the advisory list.
Some vendors have already released patches for some of their products, including:
- Linux Wireless
Vanhoef recommends the following steps for anything else you need to do: Keep your computers up to date, use strong, unique passwords, avoid visiting shady websites, and use HTTPS as much as possible.