Newly discovered Wi-Fi security vulnerabilities collectively known as FragAttacks (fragmentation and aggregation attacks) are impacting all Wi-Fi devices (including computers, smartphones, and smart devices) going back as far as 1997.
Three of these bugs are Wi-Fi 802.11 standard design flaws in the frame aggregation and frame fragmentation functionalities affecting most devices, while others are programing mistakes in Wi-Fi products.
“Experiments indicate that every Wi-Fi product is affected by at least one vulnerability and that most products are affected by several vulnerabilities,” security researcher Mathy Vanhoef (New York University Abu Dhabi), who discovered the FragAttacks bugs, said.
“The discovered vulnerabilities affect all modern security protocols of Wi-Fi, including the latest WPA3 specification. Even the original security protocol of Wi-Fi, called WEP, is affected.
“This means that several of the newly discovered design flaws have been part of Wi-Fi since its release in 1997!,” Vanhoef added.
Attackers abusing these design and implementation flaws have to be in the Wi-Fi range of targeted devices to steal sensitive user data and execute malicious code following successful exploitation, potentially leading to full device takeover.
FragAttacks vulnerabilities’ impact
Luckily, as Vanhoef further found, “the design flaws are hard to abuse because doing so requires user interaction or is only possible when using uncommon network settings.”
However, the programming mistakes behind some of the FragAttacks vulnerabilities are trivial to exploit and would allow attackers to abuse unpatched Wi-Fi products with ease.
FragAttacks CVEs associated with Wi-Fi design flaws include:
- CVE-2020-24588: aggregation attack (accepting non-SPP A-MSDU frames).
- CVE-2020-24587: mixed key attack (reassembling fragments encrypted under different keys).
- CVE-2020-24586: fragment cache attack (not clearing fragments from memory when (re)connecting to a network).
Wi-Fi implementation vulnerabilities were assigned the following CVEs:
- CVE-2020-26145: Accepting plaintext broadcast fragments as full frames (in an encrypted network).
- CVE-2020-26144: Accepting plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrypted network).
- CVE-2020-26140: Accepting plaintext data frames in a protected network.
- CVE-2020-26143: Accepting fragmented plaintext data frames in a protected network.
Other implementation flaws discovered by Vanhoef include:
- CVE-2020-26139: Forwarding EAPOL frames even though the sender is not yet authenticated (should only affect APs).
- CVE-2020-26146: Reassembling encrypted fragments with non-consecutive packet numbers.
- CVE-2020-26147: Reassembling mixed encrypted/plaintext fragments.
- CVE-2020-26142: Processing fragmented frames as full frames.
- CVE-2020-26141: Not verifying the TKIP MIC of fragmented frames.
The researcher also made a video demo demonstrating how attackers could take over an unpatched Windows 7 system inside a target’s local network.
Security updates already released by some vendors
The Industry Consortium for Advancement of Security on the Internet (ICASI) says that vendors are developing patches for their product to mitigate the FragAttacks bugs.
Cisco Systems, HPE/Aruba Networks, Juniper Networks, Sierra Wireless, and Microsoft [1, 2, 3] have already published FragAttacks security updates and advisories.
These security updates have been prepared during a 9-month-long coordinated disclosure process supervised by ICASI and the Wi-Fi Alliance.
“There is no evidence of the vulnerabilities being used against Wi-Fi users maliciously, and these issues are mitigated through routine device updates that enable detection of suspect transmissions or improve adherence to recommended security implementation practices,” the Wi-Fi Alliance said.
“As always, Wi-Fi users should ensure they have installed the latest recommended updates from device manufacturers.”
If your device vendor hasn’t yet released security updates addressing the FragAttacks bugs, you can still mitigate some of the attacks.
This can be done by ensuring that all websites and online services you visit use Hypertext Transfer Protocol Secure (HTTPS) protocol (by installing the HTTPS Everywhere web browser extension, for instance.)
Additional mitigation advice available on the FragAttacks website suggests “disabling fragmentation, disabling pairwise rekeys, and disabling dynamic fragmentation in Wi-Fi 6 (802.11ax) devices.”
An open-source tool to determine if access points and Wi-Fi clients on your network are affected by the FragAttacks flaws is also available on GitHub.
FragAttacks technical details are available in Vanhoef’s “Fragment and Forge: Breaking Wi-Fi ThroughFrame Aggregation and Fragmentation” research paper.
During the last four years, Vanhoef also discovered the KRACK and Dragonblood attacks allowing attackers to observe the encrypted network traffic exchanged between connected Wi-Fi devices, crack Wi-Fi network passwords, forge web traffic by injecting malicious packets and steal sensitive information.