How The 'FragAttacks' Affect Most If Not All Wi-Fi Devices Since 1997

FragAttack

No product is perfect. Even when that product has been around for ages, there is always a chance that there are flaws yet to be discovered.

And this time, Mathy Vanhoef, a security researcher from the New York University Abu Dhabi, discovered a bunch of Wi-Fi security vulnerabilities. Collectively known as 'FragAttacks', which stands for 'fragmentation and aggregation attacks', these bugs impact all if not most Wi-Fi devices out there in existence.

In other words, Wi-Fi enabled devices like computers, smartphones, and other smart devices going back as far as 1997, are impacted by the bugs.

As explained by Vanhoef on a web page dedicated to FragAttacks:

"Experiments indicate that every Wi-Fi product is affected by at least one vulnerability and that most products are affected by several vulnerabilities."

"The discovered vulnerabilities affect all modern security protocols of Wi-Fi, including the latest WPA3 specification. Even the original security protocol of Wi-Fi, called WEP, is affected."

"This means that several of the newly discovered design flaws have been part of Wi-Fi since its release in 1997!"

In all, there are 12 flaws, They relate to how Wi-Fi handles large chunks of data, with some being related to the Wi-Fi standard itself, and some being related to how it’s implemented by device manufacturers:

  1. CVE-2020-24588: Accepting non-SPP A-MSDU frames.
  2. CVE-2020-24587: Reassembling fragments encrypted under different keys.
  3. CVE-2020-24586: Not clearing fragments from memory when (re)connecting to a network.
  4. CVE-2020-26145: Accepting plaintext broadcast fragments as full frames (in an encrypted network).
  5. CVE-2020-26144: Accepting plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrypted network).
  6. CVE-2020-26140: Accepting plaintext data frames in a protected network.
  7. CVE-2020-26143: Accepting fragmented plaintext data frames in a protected network.
  8. CVE-2020-26139: Forwarding EAPOL frames even though the sender is not yet authenticated.
  9. CVE-2020-26146: Reassembling encrypted fragments with non-consecutive packet numbers.
  10. CVE-2020-26147: Reassembling mixed encrypted/plaintext fragments.
  11. CVE-2020-26142: Processing fragmented frames as full frames.
  12. CVE-2020-26141: Not verifying the TKIP MIC of fragmented frames.

To abuse these FragAttacks vulnerabilities, hackers need to in the Wi-Fi range of targeted devices.

"An adversary that is within radio range of a victim can abuse these vulnerabilities to steal user information or attack devices," said Vanhoef

When that happens, the hackers can steal sensitive user data, launch denial-of-service attacks, and even possibly decrypt packets in WPA or WPA2 networks. and can even execute malicious code to completely take over a compromised system.

In a hypothetical attack scenario, these bugs can be exploited as a stepping stone to launch advanced attacks.

Making things worse, some of the FragAttacks vulnerabilities are not so difficult to exploit, which would allow hackers to abuse unpatched Wi-Fi products with relative ease. Fortunately, as Vanhoef further found, "the design flaws are hard to abuse because doing so requires user interaction or is only possible when using uncommon network settings."

"If network packets can be injected towards a client, this can be abused to trick the client into using a malicious DNS server," Vanhoef explained in a research paper.

"If network packets can be injected towards an [access point], the adversary can abuse this to bypass the NAT/firewall and directly connect to any device in the local network."

Since the flaws are wide-spread, affecting so many devices, a lot of updating is needed.

Vanhoef has shared his findings with the Wi-Fi Alliance.

The organization then released firmware updates, which were developed during a 9-month-long coordinated disclosure period. Microsoft, for its part, released some fixes for some of the flaws as part of its Patch Tuesday update for May 2021. Linux kernel is also developing its own patches.

The Industry Consortium for Advancement of Security on the Internet (ICASI) added that vendors are also developing patches for their respective product to mitigate the FragAttacks bugs.

"There is no evidence of the vulnerabilities being used against Wi-Fi users maliciously, and these issues are mitigated through routine device updates that enable detection of suspect transmissions or improve adherence to recommended security implementation practices," the Wi-Fi Alliance said.

While many are actively developing the patches, there may be some products that won't receive any of the updates.

In order to stay safe, users can still mitigate some of the attacks by ensuring that all websites and online services they visit use Hypertext Transfer Protocol Secure (HTTPS) protocol.

Additional mitigation advice available on the FragAttacks website suggests "disabling fragmentation, disabling pairwise rekeys, and disabling dynamic fragmentation in Wi-Fi 6 (802.11ax) devices."

Vanhoef added that users should always keep their computers updated, use strong and unique passwords, and never visit shady sites.

Before this, Vanhoef has in the past discovered the KRACK and Dragonblood attacks.

Published: 
12/05/2021