Mathy Vanhoef, a security researcher at the New York University, Abu Dhabi, has discovered vulnerabilities in the WiFi standard arising from bugs dating back to 1997. These vulnerabilities affect just about all WiFi devices sold in the past 24 years.
The vulnerabilities have been termed FragAttacks (Fragmentation and Aggregation attacks) and can abuse a victim’s WiFi connection to steal user information or even attack devices. The research will be presented at the USENIX Security conference and Black Hat USA this summer.
Vulnerabilities or flaws?
As claimed by Vanhoef, three of the discovered vulnerabilities are design flaws by nature and hence, affect the most number of devices. Other vulnerabilities arise from programming mistakes in the implementation of the WiFi standard in most devices.
Vanhoef’s experiments indicate that every device is exposed to at least one of these vulnerabilities. They all affect all modern security protocols of WiFi, including the WPA3 specification. However, the effect of these vulnerabilities on WEP, WiFi’s original security protocol, revealed the true age of these design flaws.
However, it’s not all bad news. There may be design flaws in the protocols. Still, they are hard to abuse as doing so would require user interaction or is ‘only possible when using uncommon network settings’, according to Vanhoef. This leaves the programming mistakes in WiFi products the most vulnerable as they’re easier targets.
A detailed overview of all the discovered vulnerabilities and their CVE identifiers can be found on Vanhoef’s Github.
Here’s a quick rundown of all the discovered flaws in the WiFi standard, its implementation and other implementational flaws.
WiFi Standard design flaws
- CVE-2020-24588: Aggregation attack (accepting non-SPP A-MSDU frames).
- CVE-2020-24587: Mixed key attack (reassembling fragments encrypted under different keys).
- CVE-2020-24586: Fragment cache attack (not clearing fragments from memory when (re)connecting to a network).
WiFi standard implementation flaws
- CVE-2020-26145: Accepting plaintext broadcast fragments as full frames (in an encrypted network).
- CVE-2020-26144: Accepting plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrypted network).
- CVE-2020-26140: Accepting plaintext data frames in a protected network.
- CVE-2020-26143: Accepting fragmented plaintext data frames in a protected network.
Remaining implementation flaws
- CVE-2020-26139: Forwarding EAPOL frames even though the sender is not authenticated (should only affect APs).
- CVE-2020-26146: Reassembling encrypted fragments with non-consecutive packet numbers.
- CVE-2020-26147: Reassembling mixed encrypted/plaintext fragments.
- CVE-2020-26142: Processing fragmented frames as full frames.
- CVE-2020-26141: Not verifying the TKIP MIC of fragmented frames.
Vanhoef even posted a video on YouTube demonstrating these attacks. There’s further technical analysis and in-depth information in Vanhoef’s research paper titled Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation.
How can you protect yourself?
There is a tool over on Github that you can run on your machine to test if clients or APs are affected whatsoever by these new flaws. The tool supports over 45 test cases and can test home networks or enterprise networks with authentication.
You will, however, require modified drivers to be able to run this tool properly. To make the task easier, Vanhoef has provided a live USB image containing pre-installed modified drivers and firmware for certain Atheros WiFi dongles and a pre-configured Python environment for the tool.
If you can’t run the tool, there are also a few mitigations mentioned on Mathey’s website that can help users protect themselves. Most of the user’s protection comes from using HTTPS connections, which block the attacks.
The vulnerabilities were revealed on Microsoft’s Patch Tuesday for May 2021, and they’ve already delivered patches for three of the 12 vulnerabilities impacting Windows machines. Sierra Wireless, Cisco and HPE/Aruba have already issued patches with other manufacturers soon to develop their own versions. as per the ICASI.
For more information on the attacks and a detailed FAQ, visit the FragAttack website.