Security news that informs and inspires

FragAttacks Bugs Plague Wi-Fi Devices


A new research paper uncovered an array of design and implementation flaws that affect Wi-Fi devices. The vulnerabilities can allow an attacker within radio range of a victim to steal user information - however, they are difficult to exploit.

The research, by Mathy Vanhoef, postdoctoral researcher in computer security at New York University Abu Dhabi, disclosed the flaws stemming from the 802.11 standard that underpins Wi-Fi. This standard is designed to connect Wi-Fi devices efficiently to the router - and ensure they stay connected - by establishing the pace of data transmission.

The bugs affect all modern security protocols of Wi-Fi - from the original security protocol of Wi-Fi released in 1997, which exists on old networks, called Wired Equivalent Privacy (WEP), up to the latest Wi-Fi Protected Access 3 (WPA3) specification.

“Interestingly, our aggregation attack could have been avoided if devices had implemented optional security improvements earlier,” said Vanhoef in the research paper, called “Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation" and released Tuesday. “This highlights the importance of deploying security improvements before practical attacks are known.”

In analyzing open-source Wi-Fi stacks and systematically inspecting the 802.11 standard, Vanhoef found three design flaws, existing in processes called frame fragmentation and aggregation that center around transmitting digital data transmissions called frames. For this reason, the collective set of vulnerabilities is named FragAttacks (fragmentation and aggregation attacks).

When looking at the design flaws, one (CVE-2020-24588) exists in the frame aggregation feature of the standard. This feature allows for the communication of frames on a shared channel by sending two or more data frames in a single transmission. The design issue here stems from the fact that when an unauthenticated flag is flipped in the header of a frame, the encrypted payload will be parsed as containing one or more aggregated frames instead of a normal network packet. Attackers can abuse this design error to inject arbitrary frames, and then intercept a victim’s traffic by making it use a malicious DNS server.

The other two flaws (CVE-2020-24587 and CVE-2020-24586) exist in the process of frame fragmentation, which splits up large frames into smaller fragments with the aim to improve performance in networks with large distances. These issues stem from the fact that, while all fragments of a frame are encrypted under the same key, receivers are not required to double check that this is the case. Also, a receiver is not required to remove incomplete fragments from memory when connecting to a different network.

“We abuse this to inject malicious fragments into the fragment cache, i. e., memory, of the victim and thereby inject arbitrary packets,” said Vanhoef. “Most devices were affected by at least one of these attacks.”

In a real-world attack, these flaws could allow an adversary to intercept the data of someone when they visit an insecure website - for instance, the username and password, said Vanhoef. That said, Vanhoef stressed that these design flaws are, on their own, tedious to exploit in practice, because abusing them requires user interaction or is only possible when using uncommon network settings.

“The first category of attacks, where sensitive data is stolen, is harder for an attacker to abuse,” said Vanhoef. “The attacker needs to be within range of the victim's Wi-Fi network and the attacker somehow has to trick the user into clicking a link. This means the first category of attacks is less concerning in practice.”

“Interestingly, our aggregation attack could have been avoided if devices had implemented optional security improvements earlier. This highlights the importance of deploying security improvements before practical attacks are known."

Researchers also uncovered “widespread” implementation flaws that are related to frame aggregation and fragmentation. These nine flaws are caused by programming mistakes in Wi-Fi products and can be exploited on their own or make it easier to abuse the uncovered design issues. And, in contrast to the first category of flaws, in order to exploit these implementation issues, an adversary would only need to be within range of a vulnerable Wi-Fi network, said Vanhoef.

One of the more common implementation issues is that receivers do not check whether all fragments belong to the same frame. This means that an attacker could forge frames by mixing the fragments of two different frames, said Vanhoef. Other implementations also contain an array of errors making it possible to mix encrypted and plaintext fragments, to inject plaintext aggregated frames by disguising them as handshake messages, and to inject plaintext fragmented (broadcast) frames, he said.

These flaws “can be abused to attack insecure smart home devices or outdated computers (for instance an outdated Windows 7 computer),” said Vanhoef. “Concretely, if a Wi-Fi network is vulnerable, an attacker can remotely control such outdated devices.”

The flaws come on the heels of a nine-month coordinated disclosure period. According to the Industry Consortium for Advancement of Security on the Internet (ICASI), various vendors whose products are affected are in the process of deploying - or have already deployed - mitigations addressing the flaws, including Microsoft, Sierra Wireless, Juniper Networks, HPE/Aruba Networks and Cisco Systems.

“There is no evidence of the vulnerabilities being used against Wi-Fi users maliciously, and these issues are mitigated through routine device updates that enable detection of suspect transmissions or improve adherence to recommended security implementation practices,” said the Wi-Fi Alliance in a security update.

Security issues in Wi-Fi have previously opened devices up to data-stealing attacks. An attack called key installation (KRACK) disclosed in 2017 enabled attackers to decrypt encrypted traffic, steal data and inject malicious code. Another vulnerability in Wi-Fi chips found in February 2020, dubbed Kr00k by researchers, allowed attackers to eavesdrop on Wi-Fi communications.

Despite these flaws, the security of Wi-Fi has significantly improved over the past years, said Vanhoef. However, the latest set of vulnerabilities shows the importance of continually analyzing even the most well-known security protocols.

“Additionally, it shows that it's essential to regularly test Wi-Fi products for security vulnerabilities, which can for instance be done when certifying them,” said Vanhoef.