The security researcher who discovered the Krack Wi-Fi vulnerability has discovered a lot of other flaws with the wireless protocol most of us use to fuel our online lives (through Gizmodo). The vulnerabilities relate to how Wi-Fi handles large amounts of data, with some related to the Wi-Fi standard itself, and others related to how it is implemented by device manufacturers.
The researcher, Mathy Vanhoef, calls the set of vulnerabilities ‘FragAttacks’, which is called a mix of ‘fragmentation’ and ‘aggregation’. He also says the vulnerabilities could be exploited by hackers, allowing them to intercept sensitive data or show users fake websites, even if they use Wi-Fi networks secured with WPA2 or even WPA3. They can theoretically exploit other devices on your home network as well.
There are twelve different attack vectors under the classification, all of which work in different ways. One exploits routers that accept plain text during handshakes, the other exploits routers that cache data in certain types of networks, etc. If you want to read all the technical details on exactly how they work, you can check out Vanhoef’s website.
According to The record, Vanhoef informed the WiFi Alliance about the vulnerabilities ingrained in the way WiFi works so that they could be corrected before disclosing them. Vanhoef says he is unaware of the vulnerabilities being exploited in the wild. While he points out in a video that some of the vulnerabilities are not particularly easy to exploit, he says it would be “trivial” to take advantage of others.
Vanhoef points out that some of the flaws can be exploited on networks that use the WEP security protocol, indicating that they’ve been around since Wi-Fi was first implemented in 1997 (although if you’re still using WEP, these attacks the least of your worries).
Vanhoef says the flaws are widespread and affect many devices, which means a lot of updating.
The problem with updating the Wi-Fi infrastructure is that it is always a pain. For example, before writing this article, I went to see if my router had any updates and realized I had forgotten my login information (and I suspect I won’t be alone in that experience). There are also devices that are just old, the manufacturers of which are gone or no longer release patches. If you can, keep an eye on your router manufacturer’s website for updates rolling out, especially if they in the advice list.
Some vendors have already released patches for some of their products, including:
As for everything else you need to do, Vanhoef recommends the usual steps: keep your computers up to date, use strong, unique passwords, don’t visit shady sites, and make sure to use HTTPS as often as possible. That aside, it’s especially grateful that you’re not responsible for the widespread IT infrastructure (my deepest condolences if you are).