The ubiquitous Wi-Fi standard has at least three design flaws that allow a local attacker to intercept and exfiltrate wireless traffic, while additional implementation flaws enable more serious attacks for some wireless traffic, a well-known security researcher revealed this week. 

The design flaws in the IEEE 802.11 standard — more commonly known as Wi-Fi — allow an attacker who has tricked a user into visiting an attacker-controlled server to create a TCP connection and create a machine-in-the-middle (MitM) scenario, stated Mathy Vanhoef, a post-doctoral researcher at New York University Abu Dhabi, in an in-depth analysis of the security weaknesses. In addition, several vulnerabilities in specific Wi-Fi implementations make the issue more serious, allowing an attacker to gain additional access.

The results affect all protected Wi-Fi networks, starting with the older WEP standard and going all the way to the most recent version of Wi-Fi Protected Access, or WPA3, said Vanhoef in a paper to be presented at the prestigious USENIX Security Conference in August. The disclosure this week came after a nine-month coordinated effort to patch the flaws, he stated.

"The discovery of these vulnerabilities comes as a surprise because the security of Wi-Fi has in fact significantly improved over the past years," he said. "Unfortunately, a feature that could have prevented one of the newly discovered design flaws was not adopted in practice, and the other two design flaws are present in a feature of Wi-Fi that was previously not widely studied."

The three vulnerabilities in the 802.11 standard, by themselves, are not critical security risks. To exploit the vulnerabilities, the attacker must lure a targeted user to an attacker-controlled server and also be connected to the same Wi-Fi network as the victim, Vanhoef stated in his analysis.  

However, Vanhoef also found a number of implementation flaws related to the weaknesses, such as Wi-Fi devices that accept any unencrypted data frame, that allow more serious attacks. The overall implications of the vulnerabilities are unlikely to be understood for some time, says Keatron Evans, principal security researcher at cybersecurity education provider Infosec.

"What's most interesting is the fact that these latest vulnerabilities are really old and have been around for many years," he says. "It's also interesting that now that it is a topic of discussion, but we have yet to see what new and novel Wi-Fi attack vectors spawn from this. I think of them as vulnerabilities that may eventually lead to much more serious vulnerabilities and exploits."

The security research focused on two parts of the Wi-Fi standard: Aggregation allows networks to combine small data frames into larger ones to improve the throughput of the network, while fragmentation allows a network to do the opposite — split large frames into smaller ones to improve reliability. 

The vulnerable standard allowed plaintext to be injected into a data stream by sending the targeted user to an attacker-controlled server, changing the "is aggregated" flag — which is not authenticated — and then forwarding the data through the network. Two other vulnerabilities affect the way Wi-Fi devices implement fragmentation, which could allow data to sometimes be exfiltrated, Vanhoef stated. 

"The biggest risk in practice is likely the ability to abuse the discovered flaws to attack devices in someone's home network," he said. "For instance, many smart home and Internet of Things devices are rarely updated, and Wi-Fi security is the last line of defense that prevents someone from attacking these devices. Unfortunately, due to the discovered vulnerabilities, this last line of defense can now be bypassed."

Vanhoef is a well-known security researcher, having previously discovered the original key reinstallation attacks (KRACK) vulnerabilities in wireless networks.

While the attack requires a "perfect storm" of not only proximity but user interaction, the addition of nine other implementation flaws in different Wi-Fi devices and product means the potential for an attack should not be ignored, said Yaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber, a vulnerability remediation orchestration provider, in a statement.

"That doesn't mean that these vulnerabilities can be ignored. This latest discovery should be a reminder that cyber hygiene best practices are critically important," he said. "End users and administrators alike need to be coordinated in their efforts to regularly patch connected devices, which include routers, IoT devices, and smartphones."

Companies that manage and monitor their devices should make sure the security updates are available — a list of products affected can be found on Vanhoef's GitHub page — and that devices have been updated, says Infosec's Evans.

"If an organization is already matured to where they are doing most of the security 101 stuff like patching, antivirus. and other endpoint protection, they will most likely be fine," he said. "There is an opportunity for some disruption and potentially some information leakage for unencrypted communications over the Wi-Fi."