WiFi enabled devices pose an inherent risk to businesses, especially IoT devices. Newly discovered vulnerabilities have been baked into WiFi enabled devices since the beginning.
Technology is an ever-evolving, ever-advancing industry. And there is one key piece of technology that enables us to use the majority of other technology in use today, regardless of industry or sector: The internet. Specifically, WiFi. WiFi enabled devices carry a risk, though, and we’ve recently learned of a number of vulnerabilities related to WiFi protocols, including WPA2.
Belgian cybersecurity expert Mathy Vanhoef, who co-discovered the KRACK attack in 2017, discovered a collection of vulnerabilities impacting a range of WiFi devices across a variety of manufacturers. These “fragmentation and aggregation attacks,” of which there are 12, were named FragAttacks and have the potential to leak user information. They can also be used to attack devices. From Vanhoef’s website dedicated to his research:
“An adversary that is within range of a victim’s Wi-Fi network can abuse these vulnerabilities to steal user information or attack devices. Three of the discovered vulnerabilities are design flaws in the Wi-Fi standard and therefore affect most devices. On top of this, several other vulnerabilities were discovered that are caused by widespread programming mistakes in Wi-Fi products. Experiments indicate that every Wi-Fi product is affected by at least one vulnerability and that most products are affected by several vulnerabilities.
The discovered vulnerabilities affect all modern security protocols of Wi-Fi, including the latest WPA3 specification. Even the original security protocol of Wi-Fi, called WEP, is affected. This means that several of the newly discovered design flaws have been part of Wi-Fi since its release in 1997! Fortunately, the design flaws are hard to abuse because doing so requires user interaction or is only possible when using uncommon network settings. As a result, in practice the biggest concern are the programming mistakes in Wi-Fi products since several of them are trivial to exploit.”
If any of that is confusing to you, let us clear it up: Any device that is WiFi enabled using any WiFi security protocol ever created needs to be updated. Cell phones, computers, tablets, IoT devices like smart appliances and home networking devices, routers, printers, smart TVs, anything that connects to the internet potentially has a vulnerability. These vulnerabilities can be used to steal sensitive information, to plant malware on devices for later harvesting and a variety of other nasty ways.
But there is good news. First, it doesn’t appear that these vulnerabilities have been exploited in the wild yet. Vanhoef coordinated discussing these vulnerabilities with manufacturers, which are already releasing patches, prior to disclosing FragAttacks to the public. On the website (linked above) you can also find the technical details relating to these vulnerabilities. The other good news is that these flaws appear hard to probe, requiring user interaction or an obscure network setting. There are some which are trivial to execute, though, which is why it’s important to update any WiFi enabled device as soon as possible.
According to Gizmodo, Microsoft already issued several updates and applied patches to Windows 10, Windows 8.1 and Windows 7. Netgear has also pushed out some patches and has more on the way. The Verge has a list of manufacturers with patches, so be sure to check that out as well.
It is incredibly important, incredibly important, for business owners, business leaders and security teams to take a hard look at this. Businesses use WiFi enabled devices, including IoT devices. Even if you’re not using the device via WiFi, that vulnerability is still there and can still be exploited. Make sure you update all machines, even those not currently in use, and apply any patches that are issued. This problem is now known by threat actors, and, as with most research discoveries, it will be exploited. Threat actors know that businesses won’t do their updates or apply their patches in a timely fashion, if at all. They’ll use any edge they can gain to reach their ultimate goal, which is to steal as much information as possible.
Don’t put this off, there are enough unknowns out there that businesses will have to handle. This is a known problem, something preventable. Don’t be the business that succumbs to a problem that could have been avoided.