Billions of devices vulnerable to Wi-Fi 'FragAttacks'

Billions of devices vulnerable to Wi-Fi 'FragAttacks' — what to do

(Image credit: Shutterstock/Mathy Vanhoef CCA-4)

Up to a dozen serious security flaws affect nearly all Wi-Fi-enabled devices, including PCs, Mac, iPhones, Android phones, most routers and smart-home devices, says a Belgian security researcher. You'll want to update Windows straight abroad; most other devices will accept to wait for patches.

Mathy Vanhoef, who in 2017 co-discovered the widespread KRACK flaws in Wi-Fi, groups these 12 new flaws under the proper name "FragAttacks." He'southward put an impressive amount of documentation online to explain the flaws, including a defended FragAttacks website, an academic research newspaper, a presentation slideshow, two YouTube videos and a software tool to discover vulnerable devices.

Your router's security stinks: Here'southward how to fix it
The all-time Windows laptops you tin can buy correct now
Plus: Colonial Pipeline cyberattack: Everything you demand to know

Simply put, the FragAttacks, some of which appointment dorsum to the get-go version of Wi-Fi in 1997, permit nearby devices "inside radio range" attack your Wi-Fi network to steal information and send devices to bad places online.

Especially vulnerable, Vanhoef says, are smart-home devices that have a difficult time receiving software updates. All Wi-Fi security protocols can be broken by at least some of these attacks, including WEP, WPA2 and WPA3.

"Every Wi-Fi product is afflicted by at least one vulnerability and ... nearly products are affected by several vulnerabilities," Vanhoef writes on the FragAttacks website. "The discovery of these vulnerabilities comes as a surprise, because the security of Wi-Fi has in fact significantly improved over the past years."

Every bit far as Vanhoef is aware, none of these flaws has been exploited by malicious hackers. But he can't rule out that some of the more device-specific flaws may already have been discovered and exploited.

Hither'southward a video of Vanhoef using one of these flaws to assail a Mac, making the Mac connect to a rogue Wi-Fi network and sending it to potentially malicious websites.

What you tin do to protect yourself confronting FragAttacks

Microsoft patched Windows 10, Windows viii.1 and even Windows 7 confronting the iii most mutual FragAttacks flaws with yesterday'due south (May 11) round of security updates. So update your Windows devices today.

Linux patches are slowly being pushed out, enterprise-networking-hardware makers Cisco and Sierra Wireless are planning patches, and rival Juniper Networks has already released some.

Among consumer router makers, Netgear has an informational folio that says firmware updates are already available for some routers, listed on the page. The company adds that it is "developing and testing additional firmware fixes, which nosotros will release as they become bachelor."

There practice non seem to be patches available withal for Macs, iPhones, iPads or Android devices, or other major brands of dwelling Wi-Fi routers. (We checked their recent security advisories.) We'll update this story when we receive more than information.

In the meantime, says Vanhoef, yous tin can protect yourself by making certain yous take a stiff, unique Wi-Fi network password and by making sure to connect only to websites that take the HTTPS encryption protocol enabled by default.

The latest version of Chrome (and by inference, Edge and Dauntless) enforces HTTPS connections when possible; for other browsers, Vanhoef recommends the HTTPS Everywhere plug-in. If y'all're adequately technical, you can manually set your DNS on your router and then that it cannot be inverse by another party.

The nigh widespread flaws are the trickiest to exploit

The good news, says Vanhoef in his online slideshow, is that the "widespread flaws [are] relatively tricky to exploit in practise" and the easy-to-exploit flaws are "not widespread in practice."

The most serious flaws, he says on the FragAttacks website, involve "programming mistakes" in certain Wi-Fi devices and software implementations. He declines to reveal the afflicted products but implies that there are a lot of them.

[UPDATE: The devices afflicted by faulty software implementations are said to include the Samsung Galaxy S3 smartphone, Windows driver software for Alfa Wi-Fi dongles and the Linux, NetBSD and OpenBSD kernels.]

"The impact of our findings depends on the specific target," Vanhoef writes. "For some devices the impact is pocket-sized, while for others information technology'southward disastrous."

Vanhoef has been working with the Wi-Fi Alliance, the Industry Consortium for Advocacy of Security on the Internet and various vendors for the by nine months to go fixes for these flaws implemented.

He will be presenting his finding at the USENIX Security and Blackness Hat USA conferences in August, but you can already lookout his 12-minute USENIX presentation on YouTube.

The all-time smart home devices you can buy

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random Tv set news spots and fifty-fifty chastened a console word at the CEDIA home-applied science conference. You lot tin follow his rants on Twitter at @snd_wagenseil.