There’s a New Wi-Fi Hack in Town, and Nearly Everyone Is Vulnerable
Wi-Fi has been around in some form for more than two decades, and over the years, researchers have discovered all kinds of vulnerabilities that can be used to hack into networks and steal data as it passes through.
Well, there’s a new one to add to the list.
Last week, researchers from NYU Abu Dhabi announced a new set of bugs. They go back decades and affect virtually every Wi-Fi network out there.
It’s called FragAttack, short for “fragmentation and aggregation attacks.”
The good news is, it’s very difficult to exploit, and there’s no reason to think anyone has taken advantage of it until now. And in the meantime, most of the major companies have already released fixes for their devices.
The theory behind FragAttack can get very technical very quickly, but it all comes down to how wireless networks send and receive data.
Say you pull up a website in your browser. You don’t just receive the whole entire site as one chunk of data. Instead, you get the data broken down into smaller, more manageable pieces. That’s called fragmentation, and it happens whenever you transmit any data over a network.
But there’s more to data transmission than that. For efficiency reasons, modern devices will also combine pieces of data in certain ways before sending them. That’s aggregation.
As you can probably guess from the names, FragAttack takes advantage of the way both fragmentation and aggregation work over wireless networks.
The researchers discovered that under the right circumstances, attackers can add some data of their own to the more legitimate information being sent to you over the network. The device won’t notice the difference.
Hackers can use that to their advantage in all kinds of ways — injecting information that allows them to decode your data, for example, or potentially taking over a device if it has other unpatched problems.
That said, like basically all Wi-Fi hacks, the attacker would have to be close enough to be on the same network as you to actually pull this off. We’re talking, like, sitting outside your house or in the same coffee shop.
You can also protect your sensitive data from this attack (and most others) by making sure that any websites you visit that might send or receive personal data have the letters “https” at the beginning of the URL. That means they’re using high-security encryption to scramble any data you’re sending or receiving.
FragAttack was hard to discover and would be even harder to execute, and there’s no evidence attackers have been using it yet.
Still, now that the information is public, you can bet there will be people looking for ways to exploit it.
Luckily, the researchers involved have been working with the major companies to give them time to put out fixes for FragAttack, and many have.
So, go update your devices. And in the meantime, if you’re using Wi-Fi that unknown strangers might have access to, just keep an eye out for that “https” in URLs before you send any personal info.