The WiFi you’re using has been found to have a major vulnerability!
Down to the account password and up to the device permissions, none of them are secure.
Moreover, the vulnerability affects all devices connected to WiFi.
WiFi was already as common as sunlight and air, and is already one of the necessities of contemporary survival
But the vulnerability was found to have been “lurking” in WiFi’s lowest-level protocol for 24 years.
How serious is the vulnerability?
It is no exaggeration to say that cell phones, computers, or smart speakers, watches and other AI devices, none of them are spared.
Professor Mathy Vanhoef of Katholieke Universiteit Leuven in Belgium, who was the first to discover the vulnerabilities, demonstrated live how serious the consequences of these vulnerabilities can be.
The first is the interception of critical accounts and passwords through WiFi.
Using the vulnerability, the hackers target the WiFi and then “clone” a network with identical characteristics.
Then, the victim is sent an authentication email or SMS with a link to the WiFi, which contains a “harmless” image that automatically receives a TCP packet when it is loaded.
This TCP packet will inject a new frame into the original WiFi protocol framework, and the next time the victim opens a WiFi connection, he or she will automatically connect to the fake WiFi.
Then, the hacker simply uses a packet capture tool like Wireshark to intercept the information that the user sends and receives on the network.
Basically, you enter your account password on the network and this kind of operation is equivalent to “live” to the hacker.
Of course, this means is most suitable for airports, hotels and other public places WiFi.
However, the attacker can also spend more effort to disguise as a network operator to send emails to home WiFi users.
The second threat is that attackers directly use WiFi to remotely gain access to devices, such as computers, smart stereos, surveillance cameras, and so on.
In the demonstration, Vanhoef takes a smart desk lamp that can be connected to WiFi for remote control as an example.
First, he first tracked the target IP address through an Apple Mac computer using the same WiFi, and was able to remotely control the device without even knowing the WiFi password due to a vulnerability in the WiFi protocol.
Imagine how terrible the consequences would be if the hacker manipulated a smart home at home, or a smart speaker such as a device with camera recording capabilities.
Finally, the use of these vulnerabilities, the attacker can also achieve very sophisticated hacking operations.
Because these vulnerabilities exist at the bottom of the protocol, meaning that even if they do not access the public network, devices that are only on the local area network are also at risk.
For example, the target in the demo is a Win7 computer isolated from the extranet.
An attacker with the same access to this LAN could use the vulnerability to directly break through the routing firewall and implant the program into the target computer.
Next, every move made on the victim’s computer was live-streamed in real time.
Moreover, the attacker can also remotely seize control or silently implant the program.
△Demonstration remotely opened the system’s calculator
How did such a dangerous vulnerability occur?
A vulnerability that has been “lurking” for 24 years
The vulnerability was found in basically all WiFi security protocols, including the latest WPA3 specification.
Even WiFi’s original security protocol, WEP, is included.
This means that several of these design flaws have been “lurking” in WiFi since its release in 1997.
But fortunately, these flaws are not so easy to exploit, because doing so requires user interaction or is only possible when the network is not commonly set up.
So that’s why these vulnerabilities can lurk for 24 years.
So, in practice, the biggest pitfalls come from design flaws in WiFi products.
Plain text injection vulnerability
A hacker can easily inject frames into a protected Wi-Fi network.
Attackers usually build a frame carefully to inject unencrypted WiFi.
Targeting routers can also be abused to bypass firewalls.
And in practice, some Wi-Fi devices are allowed to accept any unencrypted frames, even if the connection is to a protected WiFi network.
This means that an attacker does not need to do anything special. Also, many WiFi encryptions on Windows incorrectly accept plaintext frames when they are split into several (plaintext) segments.
Frame aggregation vulnerability
The frame aggregation feature was supposed to increase the speed and throughput of the network by combining small frames into a larger aggregated frame.
To achieve this, each frame contains a flag that indicates whether the encrypted data being transmitted contains a single or aggregated frame.
However, this “aggregation” flag is not validated and can be modified by an adversary, which means that a victim can be tricked into processing the encrypted data in an unintended manner.
Frame fragmentation vulnerability
The second flaw is Wi-Fi’s frame fragmentation feature.
This feature increases the reliability of the connection by splitting large frames into smaller pieces.
When this is done, each fragment belonging to the same frame is encrypted using the same key.
However, receivers do not need to check this and they reassemble the fragments decrypted using different keys. In rare cases, this can be abused to exfiltrate data.
Missing authentication information on the router side
Some routers will forward handshake frames to the endpoint, even if the source does not yet have any authentication.
This vulnerability allows adversaries to perform aggregation attacks and inject arbitrary frames without user interaction.
In addition, there is another extremely common vulnerability where the receiving end also never checks if all the received fragments belong to the same frame, which means that an adversary can forge information by means of mixing two different frames.
Finally, there are also devices on the market that treat fragmented frames as full frames, a flaw that can be abused to inject packets.
What to do?
The underlying WiFi protocol has been running wild with vulnerabilities for 24 years and is used by countless devices today.
The cost and effort to change the underlying protocol again from the beginning is unimaginable.
Mathy Vanhoef has developed a test tool specifically to check if the device has the previously mentioned vulnerabilities.
Also posted on Github all the vulnerability identifiers.
Since you can’t change the WiFi protocol, the only way is to upgrade the device.
The upgrade program is still in production and will be released soon.
Recent Comments