Abu Dhabi, UAE: Despite recent improvements to Wi-Fi security, NYU Abu Dhabi (NYUAD) researchers have discovered three design flaws that could allow hackers to access sensitive data on all Wi-Fi networks, even if the data has been encrypted.
In a new study, Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation published in USENIX Security, Mathy Vanhoef from the NYU Abu Dhabi Cyber Security & Privacy Lab and the team of researchers present three design flaws that infiltrated both an early Wi-Fi network designed in 1997 and present-day Wi-Fi technology – indicating that these vulnerabilities have been present since Wi-Fi was first introduced almost 25 years ago.
The vulnerabilities in Wi-Fi security that went unnoticed for more than two decades were discovered by simulating hacker attacks and analyzing the effect on open-source Wi-Fi stacks and systematically inspecting the 802.11 standard, which have varied levels of protection. One design flaw is in the frame aggregation functionality (the combination of smaller frames to create one large frame that increases Wi-Fi speed), and the other two are in the frame fragmentation functionality (the splitting of larger frames into smaller fragments to increase Wi-Fi connection). The flaws were found in all protected Wi-Fi networks, including old networks using Wired Equivalent Privacy (WEP), up to and including the latest Wi-Fi Protected Access 3 (WPA3) technology. Since even WEP is affected, this implies the root cause of several design flaws has been part of Wi-Fi since its introduction in 1997. Additionally, every single device that was tested was vulnerable to at least one of the security attacks.
The researchers also designed a programming tool to test whether devices are affected by any of the vulnerabilities, and offer recommended countermeasures to prevent attacks. The tool can test home networks and enterprise networks alike and is available in a USB format.
It was found that the attack in the simulation could have been avoided if devices had implemented optional security improvements earlier. This highlights the importance of deploying security improvements before practical attacks are known. Over the past nine months, the team of researchers has been in contact with IT specialists at Google, Microsoft, Cisco, MediaTek, Huawei, and other technology companies to share their discoveries and help implement more secure defenses.
“The security flaws our team has discovered may have affected an unfathomable number of personal or professional networks and devices since the creation of Wi-Fi in the late 90s,” said Vanhoef. “Our hope is that the publication of these findings and our work with IT specialists at leading corporations can make Wi-Fi more secure in networks that millions of individuals and organizations around the world rely on every day.”
© Press Release 2021
Disclaimer: The contents of this press release was provided from an external third party provider. This website is not responsible for, and does not control, such external content. This content is provided on an “as is” and “as available” basis and has not been edited in any way. Neither this website nor our affiliates guarantee the accuracy of or endorse the views or opinions expressed in this press release.
The press release is provided for informational purposes only. The content does not provide tax, legal or investment advice or opinion regarding the suitability, value or profitability of any particular security, portfolio or investment strategy. Neither this website nor our affiliates shall be liable for any errors or inaccuracies in the content, or for any actions taken by you in reliance thereon. You expressly agree that your use of the information within this article is at your sole risk.
To the fullest extent permitted by applicable law, this website, its parent company, its subsidiaries, its affiliates and the respective shareholders, directors, officers, employees, agents, advertisers, content providers and licensors will not be liable (jointly or severally) to you for any direct, indirect, consequential, special, incidental, punitive or exemplary damages, including without limitation, lost profits, lost savings and lost revenues, whether in negligence, tort, contract or any other theory of liability, even if the parties have been advised of the possibility or could have foreseen any such damages.
