‘FragAttacks’: Wi-Fi Bugs Affect Millions of Devices

A Belgian security researcher specializing in Wi-Fi bugs has unearthed a clutch of new ones, which he called FragAttacks, that affect the Wi-Fi standard itself. The name is short for “fragmentation and aggregation attacks.”

Some bugs date back to 1997, meaning that computers, smartphones or other smart devices as old as 24 years may be vulnerable to attackers in Wi-Fi range. If attackers are near enough, they could intercept the owner’s information, trigger malicious code, and/or take over the device.

Mathy Vanhoef, the Belgian security researcher who discovered the FragAttacks, said in a Tuesday post that three of the vulnerabilities are design flaws in the Wi-Fi standard and therefore “affect most devices.” Several other vulnerabilities are caused by “widespread programming mistakes,” he said, with experiments indicating that “every Wi-Fi product is affected by at least one vulnerability,” with most affected by several.

Vanhoef knows his Wi-Fi protocols and how to shred them: He previously discovered the KRACK attack, a devastating weakness in the WPA2 protocol that allows attackers to decrypt encrypted traffic, steal data and inject malicious code, depending on the network configuration. He also found the RC4 NOMORE attack, which helped drive nails into the coffin of the RC4 encryption algorithm, as well as the Dragonblood attack against WPA3 Wi-Fi networks that would allow attackers to steal passwords.

The video below demonstrates three ways attackers can exploit the latest vulnerabilities: By intercepting victims’ authentication credentials; abusing insecure internet-of-things (IoT) devices by remotely flipping a smart power socket on and off; and by serving as a foothold to launch advanced attacks, particularly by hijacking an outdated Windows 7 machine inside a local network.

Bugs Are Not Being Exploited in the Wild…Maybe

Vanhoef said that the design flaws aren’t being exploited now, nor have they been in the past – at least, not that he and his team are aware of. It took so long to discover some of the flaws, his hunch is that they haven’t yet been uncovered elsewhere. It’s tough to say for sure though, given how difficult it is to monitor all these devices, with the flaws reaching back over more than two decades. “So it is hard to give a definite answer to this question,” he said.

How the Bugs Work

Several of the implementation flaws can be abused to “easily” inject frames into a protected Wi-Fi network, Vanhoef explained. “In particular, an adversary can often inject an unencrypted Wi-Fi frame by carefully constructing this frame,” he wrote.

One way these bugs can be abused to intercept a device owners’ information is by tricking the client into using a malicious DNS server, as his demo video shows. Those flaws can also be used to compromise routers by bypassing the NAT/firewall, which would let attackers go after devices in a local Wi-Fi network. The demo video above demonstrates one example: An attack on an outdated Windows 7 machine.

The demo also shows how other vulnerabilities are linked to the process by which the Wi-Fi standard breaks and then reassembles network packets, allowing an attacker to siphon data by injecting their own malicious code during the operation.

How Does He Know That *Every* Device Is Affected?

Experiments were done on more than 75 devices, with every one of them proving vulnerable to at least one of the discovered attacks. Could there be FragAttack-resistant Wi-Fi gadgets tucked into some cave in some dark corner of the globe? Well, if you find one, let him know, Vanhoef wrote.

“I’m curious myself whether all devices in the whole world are indeed affected though!” he said. “To find this out, if you find a device that isn’t affected by at least one of the discovered vulnerabilities, let me know.”

Device vendors, this could be your 15 minutes of fame. The researcher said that if you think your product isn’t affected, please send him one: After he confirms that it can shrug off FragAttacks, the name of the company and the product will be featured in his post. No silent patches, please: Vanhoef has ways to sniff out whether the device was indeed available before the vulnerabilities were disclosed. He plans to present his research at the USENIX Security conference, with a longer talk and more background scheduled for Black Hat USA, which takes place July 31-Aug. 5.

Welcome to a Hellish, Ongoing Patching Job

Disclosure of the FragAttack vulnerabilities comes after a nine-month embargo: A period in which the Wi-Fi Alliance has been overhauling its standard and guidelines and working with device vendors as they release firmware patches, with supervision from the Industry Consortium for Advancement of Security on the Internet (ICASI). Not all vendors have patched at this point, but ICASI has published an overview of where they’re at.

The creaky WEP protocol won’t save you, and you should hang your head in shame if you’re still using it, Vanhoef said: “In case you’ve been living under a rock, stop using WEP, it’s known to be a horrible security protocol.”

This tool can test if clients or Wi-Fi access points, including home or enterprise networks, are vulnerable to the design and implementations flaws. The tool supports over 45 test cases and requires modified drivers in order to reliably test, but bear in mind that without modified drivers, you might come to the incorrect conclusion that a device isn’t affected.

To check whether or not a device vendor has issued a patch for one of the dozen FragAttacks, check your device’s firmware changelogs to see if it’s received security updates that address these CVEs:

Wi-Fi Standard Design Flaws:

CVE-2020-24588: aggregation attack (accepting non-SPP A-MSDU frames). CVE-2020-24587: mixed key attack (reassembling fragments encrypted under different keys). CVE-2020-24586: fragment cache attack (not clearing fragments from memory when (re)connecting to a network).

WiFi Standard Implementation Flaws:

CVE-2020-26145: Accepting plaintext broadcast fragments as full frames (in an encrypted network). CVE-2020-26144: Accepting plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrypted network). CVE-2020-26140: Accepting plaintext data frames in a protected network. CVE-2020-26143: Accepting fragmented plaintext data frames in a protected network.

Other Implementation Flaws:

CVE-2020-26139: Forwarding EAPOL frames even though the sender is not yet authenticated (should only affect APs). CVE-2020-26146: Reassembling encrypted fragments with non-consecutive packet numbers. CVE-2020-26147: Reassembling mixed encrypted/plaintext fragments. CVE-2020-26142: Processing fragmented frames as full frames. CVE-2020-26141: Not verifying the TKIP MIC of fragmented frames

Why Didn’t Anybody Notice Until Now?

As far as the aggregation design flaw goes, it was in fact noticed. Back in 2007, when the 802.11n amendment was being written, it introduced support for aggregated (A-MSDU) frames. Several IEEE members noticed that the “is aggregated” flag wasn’t authenticated, but given that many products had already implemented a draft of the 802.11n amendment, it was decided that rather than work backwards, devices could advertise whether they are capable of authenticating the “is aggregated” flag.

Unfortunately, as of 2020, “not a single tested device supported this capability, likely because it was considered hard to exploit,” the researcher said. “To quote a remark made back in 2007: ‘While it is hard to see how this can be exploited, it is clearly a flaw that is capable of being fixed.'”

In short, it was noticed, a defense was cooked up, but nobody adopted it: A “good example that security defenses must be adopted before attacks become practical,” Vanhoef said.

What To Do if Your Device Isn’t Patched Yet

Using a VPN can prevent attacks where an adversary is trying to exfiltrate data, but it won’t prevent an attacker from bypassing your router’s NAT/firewall to directly attack devices.

Vanhoef passed along these general security best practices:

Update your devices, including IoT/smart devices, which don’t all receive regular updates Don’t reuse your passwords Back up important data Keep off of dicey websites Double-check that websites you visit use HTTPS, or better yet, install the HTTPS Everywhere plugin, which forces HTTPS usages on websites that are known to support it Manually configure your DNS server to prevent poisoning.

Join Threatpost for “Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks” – a LIVE roundtable event on Wed, May 12 at 2:00 PM EDT. Sponsored by Zoho ManageEngine, Threatpost host Becky Bracken moderates an expert panel discussing best defense strategies for these 2021 threats. Questions and LIVE audience participation encouraged. Join the lively discussion and Register HERE for free.