New research has identified various flaws in the security of Wi-Fi connections. Attackers could take advantage of these weaknesses to get access to private data. It is likely that the flaws affected all Wi-Fi appliances. Mathy Vanhoef (Department of Computer Science) worked closely with the world’s large IT companies to solve the issues through new updates that were already announced.
Vanhoef, who is affiliated with KU Leuven and New York University Abu Dhabi, found three vulnerabilities in the Wi-Fi security protocol. He also identified several programming errors in devices with Wi-Fi connections. For the study, he tested 75 devices, including smartphones, laptops, and smart devices. All devices that were tested were vulnerable to at least one of the discovered flaws.
The weaknesses found in the Wi-Fi security protocols are very difficult to exploit, which may explain why they remained under the radar for a long time: Vanhoef found them in the current WPA3 protocol, but also in all previous security protocols, dating back to 1997. “The flaws allow attackers to intercept data that you enter online,” Vanhoef explains. “They can do this by making an insecure copy of a secure website on which you try to log in, for example. Instead of the data being encrypted, it ends up with the attacker.”
The programming errors that Vanhoef found in Wi-Fi devices are especially problematic for smart appliances and computers that have not been updated in a long time because it is easier to abuse them in these cases. “This way, people with bad intentions could take control of a smart light bulb, for example. And if an old Windows PC is attacked, they can even see everything you do on that computer and store all the data you enter,” Vanhoef explains.
Updates to fix the flaws
There is no immediate cause for concern. “It’s impossible to tell if these flaws have already been abused. It seems rather unlikely because they went unnoticed for so long.” Over the past nine months, Vanhoef worked closely with many major IT companies, including Google and Microsoft, to fix the weaknesses. This happened via the Wi-Fi Alliance, an association of IT companies that jointly own and control the Wi-Fi trademark. Yesterday, they launched the necessary updates to fix the flaws.
“This discovery came as a surprise because the security of Wi-Fi connections has improved significantly in recent years,” says Vanhoef. This is partly due to Vanhoef himself: in 2017 he discovered weaknesses in the WPA2 protocol. “IT companies should be well aware that even well-established technologies can have design flaws. Wi-Fi devices could also be tested more extensively to avoid these problems in the future.”
For users, he also has some good advice. “It’s a cliché, but it’s really important to maintain good cyber hygiene. Make sure you install new updates and always check that a website is secure if you are entering sensitive information such as account details. Data can never be intercepted from websites that are fully secure. You can recognize such websites by the padlock in front of the URL in your browser.”
Visit fragattacks.com for more information about the discovered weaknesses.