FragAttacks: 12 Critical Failures on All WiFi Devices Since 1997

WiFi has suffered two major vulnerabilities in recent years. In October 2017 we learned about KRACK from the hand of Mathy Vanhoef , and in August 2018 we learned about another attack that allowed a WPA-PSK network to be hacked. Now, the same researcher has discovered a dozen WiFi vulnerabilities , some of which have been available for 24 years.

Yesterday, Mathy Vanhoef published a study entitled ” Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation “, in which he describes a number of vulnerabilities in WiFi, including three design flaws in the standard and nine flaws. implementation related. This series of new attacks has been baptized as FragAttacks , where FRAG stands for Fragmentation and Aggregation Attacks.

FragAttacks

Vulnerabilities have been available for 24 years

The vulnerabilities affect all WiFi protection protocols since its inception in 1997, ranging from WEP to even the current WPA3. With them, an attacker can forge frames in various ways, allowing him to extract sensitive information. There is also a glitch in the way various data frames are combined and fragmented, where the impact of potential attacks can be amplified.

In this way, it is possible to change a flag without authentication in the header of a frame so that the encrypted data is processed as if it were several frames instead of a single network packet. By doing so, they managed to intercept a victim’s traffic using a malicious DNS server.

The bottom line is that all the devices they tested are vulnerable to one of these attacks. In their tests they used 75 devices , including network cards and devices with Windows, Linux, Android, iOS and macOS . Interestingly, NetBSD and OpenBSD are not vulnerable to these attacks.

Other vulnerabilities imply that, although all the fragments of a frame are encrypted with the same key, the receiver does not have to verify it. With this, it is possible to encrypt packets with different keys and steal WiFi data from a device. Another way also involves injecting packets arbitrarily.

To carry out these attacks it is necessary for the attacker to have coverage of the WiFi network to be hacked. Subsequently, you have to interact on the network with the subject you want to hack, such as downloading an image from a server controlled by the attacker. Through this, it is possible to send a malicious packet over IPv4 with a modified header so that packets can be injected.

List of vulnerabilities and who have patched

The complete CVE list of vulnerabilities is as follows:

  • CVE-2020-24588 – Merge attack (accept non-SPP A-MSDU packets).
  • CVE-2020-24587 – Combined key attack (reassemble encrypted fragments using different keys)
  • CVE-2020-24586 – Chunk cache attack (Failure to clear chunks from memory when there is a connection or reconnection to a network).
  • CVE-2020-26145: Accepting Plain Text Chunks as Full Frames on an Encrypted Network
  • CVE-2020-26144: Acceptance of plain A-MSDU text frames with an RFC1042 header with EtherType EAPOL on an encrypted network.
  • CVE-2020-26140: Acceptance of Plain Text Data Frames on a Protected Network.
  • CVE-2020-26143: Acceptance of Fragmented Plain Text Data Frames on a Protected Network.
  • CVE-2020-26139: EAPOL frame forwarding even though sender is not authenticated (should only affect access points).
  • CVE-2020-26146: Reassembly of encrypted fragments with non-consecutive packet numbers.
  • CVE-2020-26147: Reassembly of encrypted or unencrypted mixed fragments.
  • CVE-2020-26142: Processing of fragmented frames as full frames.
  • CVE-2020-26141: The TKIP MIC of fragmented frames is not verified.

In the case of wanting to check if our router is vulnerable to these attacks, Mathy Vanhoef has published a tool on his GitHub page and a demonstration on YouTube, where it is clear that taking advantage of these flaws is quite complicated, but not impossible.

Patches for these vulnerabilities are now available thanks to a nine-month coordination between the WiFi Alliance and the Industry Consortium for Advancement of Security on the Internet (ICASI). On Linux the patches have already been applied, while Intel has also patched it on their WiFi chips. In the case of Windows 10 , the patch is available from March 9. Now it only remains for router manufacturers to implement it, which may take longer, and unfortunately in many of them it will never arrive.