The security researcher who discovered the Krack Wi-Fi vulnerability has discovered a slew of other flaws with the wireless protocol most of us use to power our online lives (via Gizmodo). The vulnerabilities relate to how Wi-Fi handles large chunks of data, with some being related to the Wi-Fi standard itself, and some being related to how its implemented by device manufacturers.
The researcher, Mathy Vanhoef, calls the collection of vulnerabilities FragAttacks, with the name being a mashup of fragmentation and aggregation. He also says the vulnerabilities could be exploited by hackers, allowing them to intercept sensitive data, or show users fake websites, even if theyre using Wi-Fi networks secured with WPA2 or even WPA3. They could also theoretically exploit other devices on your home network.
There are twelve different attack vectors that fall under the classification, which all work in different ways. One exploits routers accepting plaintext during handshakes, one exploits routers caching data in certain types of networks, etc. If you want to read all the technical details on how exactly they work, you can check out Vanhoefs website.
According to The Record, Vanhoef informed the WiFi Alliance about the vulnerabilities that were baked-in to the way Wi-Fi works so they could be corrected before he disclosed them to the public. Vanhoef says that hes not aware of the vulnerabilities being exploited in the wild. While he points out in a video that some of the vulnerabilities arent particularly easy to exploit, he says others would be trivial to take advantage of.
Vanhoef points out that some of the flaws can be exploited on networks using the WEP security protocol, indicating that theyve been around since Wi-Fi was first implemented in 1997 (though if youre still using WEP, these attacks should be the least of your concerns).
Vanhoef says that the flaws are wide-spread, affecting many devices, meaning that theres a lot of updating to do.
The thing about updating Wi-Fi infrastructure is that its always a pain. For example, before writing this article I went to check if my router had any updates, and realized that I had forgotten my login information (and I suspect I wont be alone in that experience). Theres also devices that are just plain old, whose manufacturers are either gone or not releasing patches anymore. If you can, though, you should keep an eye on your router manufacturers website for any updates that are rolling out, especially if theyre in the advisory list.
Some vendors have already released patches for some of their products, including:
As for anything else you need to do, Vanhoef recommends the usual steps: keep your computers updated, use strong, unique passwords, dont visit shady sites, and make sure youre using HTTPS as often as possible. Other than that, its mostly being thankful that youre not in charge of widespread IT infrastructure (my deepest condolences if you, in fact, are).