Solving this vulnerability will prove challenging, says Northeastern professor Francesco Restuccia, as it will require an update to the Wi-Fi standard itself, a complicated and lengthy process.
We often take for granted just how ubiquitous Wi-Fi has become over the past two decades, explains Northeastern University electrical and computer engineering professor Francesco Restuccia, who is also a member of the Institute for the Wireless Internet of Things.
Wi-Fi provides wireless connectivity to more than 20 billion devices around the globe, including smartphones, laptops, game consoles, and smart TVs. And for most people, Wi-Fi works so smoothly it almost feels magical.
“It’s one of the most pervasive technologies ever invented by mankind,” Restuccia says. “We seamlessly utilize Wi-Fi every day without even knowing we are. It’s so pervasive that it has basically disappeared into our lives.”
Restuccia is one of several authors of new research that will be presented in May at the IEEE International Conference on Computer Communications (INFOCOM).The research uncovers a significant vulnerability in a wireless technology found in nearly every Wi-Fi system.
And it could have devastating effects for Internet users around the world.
The researchers, including doctor Francesca Meneghello, who visited Northeastern in 2023 on a Fulbright Shuman scholarship, have found a security flaw concerning MU-MIMO (multi-user, multiple input, multiple output), which is a key component of modern Wi-Fi networks.
In a nutshell, MU-MIMO allows multiple users to share network’s time and spectrum resources improving the communication efficiency and the quality of service delivered to the users. It was introduced as part of Wi-Fi 5 standard in 2013 and has been employed ever since.
What Restuccia and his colleagues have uncovered is that a malicious actor on the Wi-Fi network could take advantage of the MU-MIMO setup procedure and stealthily introduce malicious information to slow Internet speeds for other users to a crawl.
Uncovering this type of attack will also be very difficult for users, as malicious actors are taking advantage of technologies built in the Wi-Fi standard to execute it.
Solving this vulnerability will prove challenging, Restuccia says, as it may involve an update to the Wi-Fi standard itself, a complicated and lengthy process that will require the involvement of the IEEE (Institute of Electrical and Electronics Engineers), the standards organization charged with overseeing those procedures.
“That means, unfortunately, that this vulnerability cannot be easily fixed in the Wi-Fi devices already deployed in the world today,” he says.
“We assume that wireless networks are secure, but unfortunately some of the technologies wireless networks currently use are fundamentally insecure,” he says.
Wi-Fi 7-certified devices started to be released early last year, so Restuccia and his colleagues will call on the standards body to address this vulnerability as part of the update to the Wi-Fi 8 standard. But that is likely still years away.
“The Wi-Fi standard takes a lot of time and a lot of effort to change. There are so many stakeholders involved,” he says.
“There are a number of potential methods to address the vulnerability, but they come with tradeoffs,” Restuccia says. One potential solution is to encrypt Wi-Fi control data, making it more challenging for bad actors to intercept the process, but that could result in lower Internet speeds for customers.
“Ultimately, addressing the issue will have to be a collaborative effort,” he says.
“As researchers, we have discovered and disclosed the issue, but it’s up to the community to define the best course of action,” he says.