FragAttacks Vulnerabilities Expose all WiFi Devices
Several design and implementation bugs have recently been reported in the Wi-Fi IEE 802.11 technical standard. According to the report, the flaws can be used by hackers to take control over entire systems as well as extract sensitive information.
The flaws are collectively referred to as FragAttacks (this is short for Fragmentation and Aggregation) and they seem to be present in all Wireless connection security protocols, including the Wired Equivalent Privacy, the Wi-Fi Protected Access 3, and others. In other words, nearly all devices that can use Wi-Fi connection could be at risk of getting attacked using those newly-reported weaknesses.
According to Mathy Vanhoef, a cybersecurity expert from the New York University in Abu Dhabi, all that is needed for a threat actor to exploit the weaknesses is for them to be within radio range of the targeted victim’s Wi-Fi-capable device. He also says that experiments have confirmed that all Wi-Fi-capable devices possess at least one of the newly-discovered weaknesses. Furthermore, most devices seem to be affected by more than one vulnerability.
IEEE 802.11 is at the base of all modern-day Wi-Fi capable devices, and it is responsible for allowing smartphones, laptop, tablets, and other tech to connect to one another and to the Internet through the help of a nearby wireless router.
In January 2018, the WPA3 security protocol was released, and it is currently an integral part of most newer Wi-Fi devices. It improves security by adding more reliable authentication and by enhancing the connections’ encryption in order to make wireless networks and data transfer safer that goes through them.
Vanhoef points out that the reported problems originate from certain programming mistakes that have been present in the code for years and even decades, as some of them date back to 1997. The weaknesses are said to have the potential to enable hackers to insert arbitrary packets and thus mislead their victims into using compromised DNS servers.
The following is a list of all 12 of the reported vulnerabilities:
- CVE-2020-24588: Accepts non-SPP A-MSDU frames
- CVE-2020-24587: Reassembles fragments that are encrypted under different keys
- CVE-2020-24586: Doesn’t clear fragments from memory when the device connects/reconnects to a network
- CVE-2020-26145: Accepts plaintext broadcast fragments as full frames within encrypted networks
- CVE-2020-26144: Accepts plaintext A-MSDU frames starting with an RFC1042 header with EtherType EAPOL
- CVE-2020-26140: Accepts plaintext data frames in a protected network
- CVE-2020-26143: Accepts fragmented plaintext data frames in a protected network
- CVE-2020-26139: Forwards EAPOL frames, although the sender has not yet been authenticated
- CVE-2020-26146: Reassembles encrypted fragments using non-consecutive packet numbers
- CVE-2020-26147: Reassembles mixed encrypted/plaintext fragments
- CVE-2020-26142: Processes fragmented frames as full frames
- CVE-2020-26141: Doesn’t verify the TKIP MIC of fragmented frames
Threat actors can exploit those bugs and use them to insert arbitrary packets, intercept data transfer and extract sensitive information, perform DoS (Denial of Service) attacks, and even break through the encryption of WPA and/or WPA2 networks.
According to Vanhoef, if the attacker manages to inject arbitrary network packets towards a targeted client, they’d be able to use this to make the client use a rogue DNS server. He explains that this can potentially enable the hacker to circumvent the Firewall/NAT and connect directly to devices that are connected to the network.
In theory, these weaknesses can be used as the starting point of sophisticated attacks that allow threat actors to take full control over out-of-date Win 7 systems that are connected to the local network. The good news is that these flaws are not easy to exploit as user interaction is required for them to work. In other cases, exploiting some of the flaws can only be done when certain uncommon network settings are in use.
These discoveries have been reported to the Wi-Fi Alliance and following that, firmware updates were developed over a 9-month period, during which the flaws weren’t disclosed to the public out of safety concerns. Microsoft also developed fixes for several of the bugs, namely CVE-2020-24587, CVE-2020-26144, and CVE-2020-24588. The fixes are part of this month’s patch. Additionally, Vanhoef has stated that currently an updated Linux kernel is being developed to help secure Linux distros against those flaws.
Apparently, this isn’t the first instance when serious Wi-Fi flaws have been discovered by Vanhoef. Back in 2017, the security researcher warned about a series of WPA2 protocol flaws known as Key Reinstallation Attacks (KRACKs for short). Those had the potential to allow the attacker to gain access to sensitive personal info and acquire credit and debit card numbers, usernames and passwords, and even read private messages.
The researcher points out that security improvements made on a regular basis could have helped take care of such vulnerabilities even before they formed an aggregation attack. According to him, it is essential to constantly work to improve the security of devices and systems rather than wait for a high level weakness to be discovered and then start working on developing a fix for it.
Other companies, including HPE/Aruba Networks, Cisco, Sierra Wireless, and Juniper Networks have also developed mitigations or potential FragAttacks. Those are all available in the advisory that ICASI (Industry Consortium for Advanced of Security on the Internet) has recently released.
According to the Wi-Fi Alliance, there’s currently no information of these vulnerabilities getting exploited in the wild. The company notes that such attacks can currently be mitigated by installing all the latest updates for the respective devices and by applying the general rules of safe browsing and Internet use.