A security researcher with a solid track record in discovering Wi-Fi vulnerabilities has discovered new ones, some of which are part of the core security protocols of the Wi-Fi standard, so are present in virtually every device from 1997 onwards.

The flaws could be exploited to steal sensitive data, control smart home devices, and even take over some computers. There are, however, two pieces of good news. First, the real-life risks for ordinary users are very small. Second, it’s easy to protect yourself against even these small risks …

The issues were discovered by Belgian security researcher Mathy Vanhoef, who has made something of a name for himself by discovering flaws in Wi-Fi standards. These latest ones even affect WPA3, the latest and most secure standard.

This website presents FragAttacks (fragmentation and aggregation attacks) which is a collection of new security vulnerabilities that affect Wi-Fi devices. An adversary that is within radio range of a victim can abuse these vulnerabilities to steal user information or attack devices.

Three of the discovered vulnerabilities are design flaws in the Wi-Fi standard and therefore affect most devices. On top of this, several other vulnerabilities were discovered that are caused by widespread programming mistakes in Wi-Fi products. Experiments indicate that every Wi-Fi product is affected by at least one vulnerability and that most products are affected by several vulnerabilities.

The discovered vulnerabilities affect all modern security protocols of Wi-Fi, including the latest WPA3 specification. Even the original security protocol of Wi-Fi, called WEP, is affected. This means that several of the newly discovered design flaws have been part of Wi-Fi since its release in 1997!

Vanhoef has a video demonstrating three kinds of attack.

The video shows three examples of how an adversary can abuse the vulnerabilities. First, the aggregation design flaw is abused to intercept sensitive information (e.g. the victim’s username and password). Second, it’s shown how an adversary can exploit insecure internet-of-things devices by remotely turning on and off a smart power socket. Finally, it’s demonstrated how the vulnerabilities can be abused as a stepping stone to launch advanced attacks. In particular, the video shows how an adversary can take over an outdated Windows 7 machine inside a local network.

The real-life risks are small, as they rely on user interaction and network settings, which are not in common use.

You can maximize your protection by using HTTPS websites wherever possible, and using VPNs when on public hotspots.

HTTPS Everywhere is a way to force the use of HTTPS where it is supported by a website, even if their default web pages are the HTTP version. This is available for Chrome, Edge, Firefox, and Opera – but unfortunately not for Safari. It is already included in Brave and Tor browsers.

FTC: We use income earning auto affiliate links. More.

Check out 9to5Mac on YouTube for more Apple news:

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

About the Author

Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!

Ben Lovejoy's favorite gear