Krack Attack discoverer Mathy Vanhoef last year unearthed 12 new vulnerabilities residing in EVERY Wi-Fi device ever made. Patches from Microsoft, Cisco, Aruba Networks, Sierra Wireless, Netgear, and Juniper are already out while the development of a fix for other devices is underway.
Every couple of years, Belgian security researcher Mathy VanhoefOpens a new window seems to dig up vulnerabilities affecting his core area of expertise: wireless or Wi-Fi security. Four years after he discovered KRACK attacksOpens a new window (Key Reinstallation Attacks), Vanhoef this week made public his findings from the year past of a dozen security vulnerabilities existing within almost every Wi-Fi product ever produced in the past 24 years.
Vanhoef described the set of vulnerabilities to cause FragAttacksOpens a new window , a portmanteau of ‘fragmentation and aggregation,’ which in a way describe the flaws. He discovered the set of vulnerabilities at least nine months ago when he apprised the Wi-Fi Alliance of the threat.
Nine of the twelve FragAttack flaws exist because of incorrect implementation of the Wi-Fi standard in wireless products. The remaining three are a direct consequence of imperfections in the standard itself. Since the implementation of the standard varies from product to product and company to company, Vanhoef explained that the majority of the impacted devices have either one or multiple of the three vulnerabilities.
“Three of the discovered vulnerabilities are design flaws in the Wi-Fi standard and therefore affect most devices,†saidOpens a new window Vanhoef. “Experiments indicate that every Wi-Fi product is affected by at least one vulnerability and that most products are affected by several vulnerabilities.â€
The researcher, who also unearthed the Dragonblood attacksOpens a new window in 2019, expressed surprise at his discovery, considering the continuous improvements in wireless security protocols. Vanhoef said, “Unfortunately, a feature that could have prevented one of the newly discovered design flaws was not adopted in practice, and the other two design flaws are present in a feature of Wi-Fi that was previously not widely studied.â€
See Also: The Wi-Fi Industry Has Lost Its Way
What are FragAttack Vulnerabilities?
There is no evidence of active exploitation of any of the dozen vulnerabilities. However, they can allow a hacker to steal sensitive user data as well as attack devices connected to the Wi-Fi network. This means an attack surface area increases with a greater number of connected devices ranging from computers, smartphones, smart devices/appliances, and other IoT devices.
A couple of prerequisites, though. For successful exploitation, the perpetrator of an attack needs to be within a close range of the victim device. They further need to convince their target to download an image from the attacker’s server and set an aggregated flag for an encrypted IPv4 packet they are sending.
Vanhoef notes that the ability to attack and compromise connected devices is perhaps the biggest risk facing home networks. “For instance, many smart home and internet-of-things devices are rarely updated, and Wi-Fi security is the last line of defense that prevents someone from attacking these devices. Unfortunately, due to the discovered vulnerabilities, this last line of defense can now be bypassed.â€
Vanhoef demonstrated the FragAttack vulnerabilities in the video below:
Listed in the table below, all vulnerabilities scored between 4.8 and 6.5 on the CVSS scale, placing them in the ‘Medium’ severity category.
|
Vulnerability |
Description |
|
Design Flaws |
|
|
CVE-2020-24586 |
Fragmentation cache not cleared from memory on reconnection |
| CVE-2020-24587 |
Reassembling fragments encrypted under different keys |
|
CVE-2020-24588 |
Accepting non-SPP A-MSDU frames, which may lead to payload being parsed as an L2 frame under an A-MSDU bit toggling attack |
|
Implementation Flaws |
|
|
CVE-2020-26139 |
Forwarding EAPOL from unauthenticated sender |
| CVE-2020-26140 |
Accepting plaintext data frames even in protected networks |
|
CVE-2020-26141 |
TKIP security protocol for Message Integrity Check (MIC) of fragmented frames is unverified |
| CVE-2020-26142 |
Processing fragmented frames as full frames |
|
CVE-2020-26143 |
Accepting fragmented plaintext frames allowing injection of arbitrary data in protected networks |
| CVE-2020-26144 |
Always accepting unencrypted A-MSDU frames that, which may allow arbitrary network packet injection |
|
CVE-2020-26145 |
Accepting plaintext broadcast fragments as full frames, which can disregard network configuration for arbitrary network packet injection |
| CVE-2020-26146 |
Reassembling encrypted fragments with non-consecutive packet numbers |
|
CVE-2020-26147 |
Reassembling mixed encrypted/plaintext fragments, through which packets can be injected and selected fragments, exfiltrated |
Â
The proof-of-concept remains under wraps to give time to the device vendors to alleviate the threat. It is unclear whether the PoC will be released before Vanhoef’s presentation of his researchOpens a new window at USENIX Security ‘21 and Black Hat USA 2021.
What is Affected by FragAttack Flaws?
On the device front, we’ve already established that every device using Wi-Fi Standard (including smartphones) is impacted; however, the impact on each device varies. The impact can be minor for some devices, while for others, it can be disastrous.
But on the enforcement level, multiple security protocols going back as far as 1997 were found to be affected. So devices with Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA), WPA2, and even the latest WPA3 protocol are vulnerable. TKIP may be relatively but not completely safer. But Vanhoef pointed out that the protocol is vulnerable to other more serious bugs and the fact that the Wi-Fi alliance has phased outOpens a new window its implementation from devices.
Mitigation of FragAttack Vulnerabilities
The good news is that temporary mitigations of the bugs are available. The bad news is that permanent solutions aren’t available for all devices.
Since Vanhoef’s disclosure last year, the Wi-Fi Alliance and Industry Consortium for Advancement of Security on the Internet (ICASI) have stealthily worked, for obvious reasons, with device vendors to address the vulnerabilities and patch them up.
Consequently,
- MicrosoftOpens a new window has patchedOpens a new window threeOpens a new window of the twelve bugs in Windows
- Patches by CiscoOpens a new window and Aruba NetworksOpens a new window (parent HPE) are already shipped
- Sierra WirelessOpens a new window has also rolled out fixes with more planned over the year
- NetgearOpens a new window ‘s three patches are out
- JuniperOpens a new window has fixed some of its products, with others in the pipeline
- A patch for Linux Kernel is on its way, according to ZDNetOpens a new window
Security updates for those of you using any device whose fix isn’t available yet should keep devices up to date with the latest firmware updates, refrain from reusing passwords, perform regular backups of important data, stay away from risky websites etc.
Besides maintaining basic security hygiene through the above steps, affected users should be able to deter data exfiltration by ensuring that HTTPSOpens a new window is used. Vanhoef recommends setting up the HTTPS Anywhere pluginOpens a new window on the browser for mandatory HTTPS use.
Users can also disable fragmentation, pairwise rekeys, and dynamic fragmentation in Wi-Fi 6 (802.11ax) devices and manually configure DNS servers as an additional mitigation measure.
Also check out It’s test tool with 45+ test cases, a live USB image, can test both APs and clients, both home and enterprise networks, supports multiple network cards, and contains references to slides and other overview info 🙂
— Mathy Vanhoef (@vanhoefm) May 11, 2021Opens a new window
Wrapping Up
This is the Qualcomm modem chip flaw all over again. The fallout from FragAttack vulnerabilities is identical to concerns brewing up over vendor-specific security updates for vulnerable Android devices featuring a Qualcomm Mobile Station Modem chip. And even as both Qualcomm and the Wi-Fi Alliance are working with respective device vendors to nullify the threat, it is unrealistic to expect that all affected devices will be fixed.
Twenty-four years is a long time. Multiple technologies have been introduced, leveraged, and become obsolete between 1997 and 2021. So if a threat comes across that transcends various devices, the prudent thing to do is to do everything we can to prevent any misdeeds, which is our way of asking, “Did you check the HTTPS status of this page?â€
Let us know if you liked this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!