Recently, a whole raft of security flaws have been found that impact all Wi-Fi devices, including smart phones, IoT devices, and personal computers going back as far as 1997. This unfortunately means that almost every Wi-Fi device in use today is vulnerable.
Collectively, the attacks associated with these issues have been dubbed FragAttacks.
Mathy Vanhoef, of the University of Abu Dhabi, and the researcher who discovered FragAttacks had this to say about them:
“Experiments indicate that every Wi-Fi product is affected by at least one vulnerability and that most products are affected by several vulnerabilities.
The discovered vulnerabilities affect all modern security protocols of Wi-Fi, including the latest WPA3 specification. Even the original security protocol of Wi-Fi, called WEP, is affected. This means that several of the newly discovered design flaws have been part of Wi-Fi since its release in 1997!”
If there’s a silver lining to be had, it lies in the fact that an attacker needs to be within the Wi-Fi range of the device targeted in order to execute the attack and either inject malicious code or steal sensitive data. However, if the attacker is in range, it’s entirely possible for him to take complete control of the target device.
Vanhoef also notes that the flaws are somewhat difficult to abuse because they rely on network settings not commonly used, which, combined with the first point does offer a measure of protection.
Nonetheless, this is about as serious as it gets, but fortunately, vendors are already in the process of developing patches to address the issues.
The patches are being tracked as follows:
CVE-2020-24588
CVE-2020-24587
CVE-2020-24586
CVE-2020-26145
CVE-2020-26144
CVE-2020-26140
CVE-2020-26143
CVE-2020-26139
CVE-2020-26146
CVE-2020-26147
CVE-2020-26142
CVE-2020-26141
Finally, note that there’s no evidence at this point that any of these attacks are being used in the wild. Even so, these flaws represent a serious point of weakness. Until patches are developed and deployed, researchers recommend disabling fragmentation, disabling pairwise rekeys and disabling dynamic fragmentation in Wi-Fi 6 (802.11ax) devices.