Security News > 2023 > March > New Wi-Fi Protocol Security Flaw Affecting Linux, Android and iOS Devices

A group of academics from Northeastern University and KU Leuven has disclosed a fundamental design flaw in the IEEE 802.11 Wi-Fi protocol standard, impacting a wide range of devices running Linux, FreeBSD, Android, and iOS. Successful exploitation of the shortcoming could be abused to hijack TCP connections or intercept client and web traffic, researchers Domien Schepers, Aanjhan Ranganathan, and Mathy Vanhoef said in a paper published this week.
Besides manipulating the security context to leak frames from the queue, an attacker can override the client's security context used by an access point to receive packets intended for the victim.
"The core idea behind the attack is that the manner in which clients are authenticated is unrelated to how packets are routed to the correct Wi-Fi client," Vanhoef explained.
Cisco, in an informational advisory, described the vulnerabilities as an "Opportunistic attack and the information gained by the attacker would be of minimal value in a securely configured network."
To reduce the probability of such attacks, it's recommended to implement transport layer security to encrypt data in transit and apply policy enforcement mechanisms to restrict network access.
The findings arrive months after researchers Ali Abedi and Deepak Vasisht demonstrated a location-revealing privacy attack called Wi-Peep that also exploits the 802.11 protocol's power-saving mechanism to localize target devices.
News URL
https://thehackernews.com/2023/03/new-wi-fi-protocol-security-flaw.html
Related news
- DeepSeek's iOS app is a security nightmare, and that's before you consider its TikTok links (source)
- iOS 18 settings to lock down your privacy and security (source)
- Qualcomm pledges 8 years of security updates for Android kit using its chips (YMMV) (source)
- Google's March 2025 Android Security Update Fixes Two Actively Exploited Vulnerabilities (source)
- Android Malware Exploits a Microsoft-Related Security Blind Spot to Avoid Detection (source)
- New Ubuntu Linux security bypasses require manual mitigations (source)
- Phishing platform 'Lucid' behind wave of iOS, Android SMS attacks (source)
- Still Using an Older Version of iOS or iPadOS? Update Now to Patch These Critical Security Vulnerabilities (source)