Wi-Fi: 12 critical flaws dating from the 90s!

Really, not a single day goes by without a computer security researcher discovering an unprecedented security flaw. After the vulnerabilities on Google Chrome and Edge, or on Zoom, researcher Mathy Vanhoef from New York University Abu Dhabi (United Arab Emirates) highlighted twelve security vulnerabilities affecting devices equipped with a Wi-Fi module.

These twelve flaws can be exploited in various ways, to such an extent that the researcher has grouped them together under the name of FragAttacks. To summarize, be aware that these vulnerabilities allow all to steal data or take remote control of the targeted devices. “An adversary who is within radio range of a victim can abuse these vulnerabilities to steal information or attack devices,” he warns.

Rather improbably, it seems that most of these flaws date from the 90s, the beginning of Wi-Fi technology. They also concern all recent security protocols, from WEP to WPA 3. In other words, these are design flaws that have never been corrected by the Wi-Fi Alliance. As a reminder, this is a consortium based in Austin, Texas which owns and controls the “Wi-Fi Certified” logo. Created by the six Wi-Fi pioneers (namely Cisco, Intersil, Agere, Nokia, 3com and Symbol Technologies), this alliance now brings together more than 600 companies.

To read also: Android: 36 new critical flaws identified by Google | Android MT (android-mt.com)

Flaws far from obvious to exploit

However, the researcher wants to be reassuring and specifies that these flaws are not easy to exploit. ” Design flaws are difficult to exploit, as this requires user interaction or is only possible when using unusual network settings ”, explains Mathy Vanhoef. Nevertheless, the expert wanted to show in video how it was possible to take advantage of these flaws, via three different exploitations.

The first is to exploit a flaw in the aggregation design, so as to intercept a user’s sensitive information such as their name or the victim’s Wi-Fi password. Via another vulnerability, the researcher manages to take control of unsecured connected objects. Finally, the expert managed, for example, to exploit these flaws to access the system of a PC running Windows 7 in a local network. ” Three of the vulnerabilities discovered are design flaws in the Wi-Fi standard and therefore affect most devices ”, he assures.

Following the publication of its discovery, the ICASI (Industry Consortium for Advancement of Security on the Internet) issued an alert bulletin in order to detail the twelve vulnerabilities highlighted by the researcher. For his part, the Wi-Fi Alliance is currently working with manufacturers of Wi-Fi modules to correct these flaws. This is for example the case of Microsoft, which has already deployed a patch in early March 2021.

Source: The Computing World