The security researcher who discovered the Krack Wi-Fi vulnerability found many other flaws in the wireless protocol that most of us use to power our online lives (through Gizmodo). The vulnerabilities are related to the way Wi-Fi handles large pieces of data, some related to the Wi-Fi standard itself, and others related to the way this is implemented by device manufacturers.
The researcher, Mathy Vanhoef, calls the collection of vulnerabilities “FragAttacks”, and the name is a mixture of “fragmentation” and “aggregation”. He also says the vulnerabilities could be exploited by hackers, allowing them to intercept sensitive data or show users fake websites, even if they use WPA2 or even WPA3-protected Wi-Fi networks. Theoretically, they could use other devices on your home network.
There are twelve different attack vectors that fall into the classification that work in different ways. A person operates routers that accept plaintext during handshakes, one operates routers that cache data on certain types of networks, and so on. If you want to read all the technical details about exactly how they work, you can check out the Vanhoef website.
According to The record, Vanhoef informs the WiFi Alliance about the vulnerabilities that are involved in the way Wi-Fi works so that they can be fixed before disclosing them to the public. Vanhoef says he is unaware of the vulnerabilities used in the wild. While he points out in a video that some of the vulnerabilities are not very easy to use, he says others would be “trivial”
Vanhoef points out that some of the shortcomings can be exploited on networks using the WEP security protocol, indicating that they have existed since Wi-Fi was first introduced in 1997 (although if you still use WEP , these attacks should be the least of your worries).
Vanhoef says the shortcomings are widespread and affect many devices, which means there are many updates that need to be made.
The job of updating the Wi-Fi infrastructure is that it’s always a pain. For example, before writing this article, I went to check if my router had any updates and realized that I had forgotten my login details (and I suspect I will not be alone in this experience). There are also devices that are just old, whose manufacturers have either disappeared or no longer patch. However, if you can, you should keep an eye on your router manufacturer’s website for any updates that are released, especially if they are on the list of recommendations.
Some suppliers have already released adjustments for some of their products, including:
As for everything else you need to do, Vanhoef recommends the usual steps: keep your computers up-to-date, use strong, unique passwords, don’t visit shady sites, and make sure you use HTTPS as often as possible. Also, most of all, you’re thankful that you’re not responsible for the widespread IT infrastructure (my deepest condolences, if you really are).