Wi-Fi devices going back to 1997 are vulnerable to attackers who can steal your data if they’re in range.
A Belgian security researcher specializing in Wi-Fi bugs has unearthed a clutch of new ones, which he called FragAttacks, that affect the Wi-Fi standard itself. The name is short for “fragmentation and aggregation attacks.”
Some bugs date back to 1997, meaning that computers, smartphones or other smart devices as old as 24 years may be vulnerable to attackers in Wi-Fi range. If attackers are near enough, they could intercept the owner’s information, trigger malicious code, and/or take over the device.
Mathy Vanhoef, the Belgian security researcher who discovered the FragAttacks, said in a Tuesday post that three of the vulnerabilities are design flaws in the Wi-Fi standard and therefore “affect most devices.” Several other vulnerabilities are caused by “widespread programming mistakes,” he said, with experiments indicating that “every Wi-Fi product is affected by at least one vulnerability,” with most affected by several.
Vanhoef knows his Wi-Fi protocols and how to shred them: He previously discovered the KRACK attack, a devastating weakness in the WPA2 protocol that allows attackers to decrypt encrypted traffic, steal data and inject malicious code, depending on the network configuration. He also found the RC4 NOMORE attack, which helped drive nails into the coffin of the RC4 encryption algorithm, as well as the Dragonblood attack against WPA3 Wi-Fi networks that would allow attackers to steal passwords.
The video below demonstrates three ways attackers can exploit the latest vulnerabilities: By intercepting victims’ authentication credentials; abusing insecure internet-of-things (IoT) devices by remotely flipping a smart power socket on and off; and by serving as a foothold to launch advanced attacks, particularly by hijacking an outdated Windows 7 machine inside a local network.
Bugs Are Not Being Exploited in the Wild…Maybe
Vanhoef said that the design flaws aren’t being exploited now, nor have they been in the past – at least, not that he and his team are aware of. It took so long to discover some of the flaws, his hunch is that they haven’t yet been uncovered elsewhere. It’s tough to say for sure though, given how difficult it is to monitor all these devices, with the flaws reaching back over more than two decades. “So it is hard to give a definite answer to this question,” he said.
Yaniv Bar-Dayan, CEO and co-founder at the vulnerability management provider Vulcan Cyber, agrees that an attack is unlikely, though we should take frag attacks against Wi-Fi devices quite seriously – they can, after all, be exploited to steal user data or attack devices. While serious, they would take a “perfect storm”, he said Attackers need to be in radio range, an exploit requires misconfigured network settings, and adversaries need direct interaction with a user. “This has the potential to seriously disrupt a large [swath] of users. However, it’s unlikely that the exploitation of these vulnerabilities will be successful in the wild,” he told Threatpost via email on Wednesday.
That doesn’t mean that they can be ignored, though. While vendors work to pump out patches, it’s vital that device owners implement proven Wi-Fi security best practices. “End users and administrators alike need to be coordinated in their efforts to regularly patch connected devices, which include routers, IoT devices and smartphones,” Bar-Dayan commented. “Make sure your router is encrypting data, use a sophisticated and unique password or multi-factor authentication, don’t broadcast your network ID, double check configurations are secure, and, above all else, patch early and often.”
How the Bugs Work
Several of the implementation flaws can be abused to “easily” inject frames into a protected Wi-Fi network, Vanhoef explained. “In particular, an adversary can often inject an unencrypted Wi-Fi frame by carefully constructing this frame,” he wrote.
One way these bugs can be abused to intercept a device owners’ information is by tricking the client into using a malicious DNS server, as his demo video shows. Those flaws can also be used to compromise routers by bypassing the NAT/firewall, which would let attackers go after devices in a local Wi-Fi network. The demo video above demonstrates one example: An attack on an outdated Windows 7 machine.
The demo also shows how other vulnerabilities are linked to the process by which the Wi-Fi standard breaks and then reassembles network packets, allowing an attacker to siphon data by injecting their own malicious code during the operation.
How Does He Know That *Every* Device Is Affected?
Experiments were done on more than 75 devices, with every one of them proving vulnerable to at least one of the discovered attacks. Could there be FragAttack-resistant Wi-Fi gadgets tucked into some cave in some dark corner of the globe? Well, if you find one, let him know, Vanhoef wrote.
“I’m curious myself whether all devices in the whole world are indeed affected though!” he said. “To find this out, if you find a device that isn’t affected by at least one of the discovered vulnerabilities, let me know.”
Device vendors, this could be your 15 minutes of fame. The researcher said that if you think your product isn’t affected, please send him one: After he confirms that it can shrug off FragAttacks, the name of the company and the product will be featured in his post. No silent patches, please: Vanhoef has ways to sniff out whether the device was indeed available before the vulnerabilities were disclosed. He plans to present his research at the USENIX Security conference, with a longer talk and more background scheduled for Black Hat USA, which takes place July 31-Aug. 5.
Welcome to a Hellish, Ongoing Patching Job
Disclosure of the FragAttack vulnerabilities comes after a nine-month embargo: A period in which the Wi-Fi Alliance has been overhauling its standard and guidelines and working with device vendors as they release firmware patches, with supervision from the Industry Consortium for Advancement of Security on the Internet (ICASI). Not all vendors have patched at this point, but ICASI has published an overview of where they’re at.
The creaky WEP protocol won’t save you, and you should hang your head in shame if you’re still using it, Vanhoef said: “In case you’ve been living under a rock, stop using WEP, it’s known to be a horrible security protocol.”
This tool can test if clients or Wi-Fi access points, including home or enterprise networks, are vulnerable to the design and implementations flaws. The tool supports over 45 test cases and requires modified drivers in order to reliably test, but bear in mind that without modified drivers, you might come to the incorrect conclusion that a device isn’t affected.
To check whether or not a device vendor has issued a patch for one of the dozen FragAttacks, check your device’s firmware changelogs to see if it’s received security updates that address these CVEs:
Wi-Fi Standard Design Flaws:
- CVE-2020-24588: aggregation attack (accepting non-SPP A-MSDU frames).
- CVE-2020-24587: mixed key attack (reassembling fragments encrypted under different keys).
- CVE-2020-24586: fragment cache attack (not clearing fragments from memory when (re)connecting to a network).
WiFi Standard Implementation Flaws:
- CVE-2020-26145: Accepting plaintext broadcast fragments as full frames (in an encrypted network).
- CVE-2020-26144: Accepting plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrypted network).
- CVE-2020-26140: Accepting plaintext data frames in a protected network.
- CVE-2020-26143: Accepting fragmented plaintext data frames in a protected network.
Other Implementation Flaws:
- CVE-2020-26139: Forwarding EAPOL frames even though the sender is not yet authenticated (should only affect APs).
- CVE-2020-26146: Reassembling encrypted fragments with non-consecutive packet numbers.
- CVE-2020-26147: Reassembling mixed encrypted/plaintext fragments.
- CVE-2020-26142: Processing fragmented frames as full frames.
- CVE-2020-26141: Not verifying the TKIP MIC of fragmented frames
Why Didn’t Anybody Notice Until Now?
As far as the aggregation design flaw goes, it was in fact noticed. Back in 2007, when the 802.11n amendment was being written, it introduced support for aggregated (A-MSDU) frames. Several IEEE members noticed that the “is aggregated” flag wasn’t authenticated, but given that many products had already implemented a draft of the 802.11n amendment, it was decided that rather than work backwards, devices could advertise whether they are capable of authenticating the “is aggregated” flag.
Unfortunately, as of 2020, “not a single tested device supported this capability, likely because it was considered hard to exploit,” the researcher said. “To quote a remark made back in 2007: ‘While it is hard to see how this can be exploited, it is clearly a flaw that is capable of being fixed.’”
In short, it was noticed, a defense was cooked up, but nobody adopted it: A “good example that security defenses must be adopted before attacks become practical,” Vanhoef said.
The Vendors Respond
On Monday, vendors issued a slew of advisories connected to the Frag Attacks.
For its part, Intel issued an advisory about the potential security vulnerabilities that can be found in its PROSet/Wireless WiFi and Intel vPro® Converged Security and Management Engine (CSME) WiFi and Killer™ WiFi products and which may allow denial of service (DoS). The company is in the process of releasing firmware and software updates to fix the bugs, it says.
Linksys did the same, referring to the vulnerabilities with the name of Vanhoef’s paper, which is titled Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation. The company said that “devices using encryption schemes from WEP up to WPA3 are affected industry wide,” though an attacker would again need to either “have a device under their control already on the target network or … to be in proximity of the Wi-Fi network and trick a user on the network to visit the attacker’s server (phishing email, malicious ads, etc.).” The company says it’s working with vendors and manufacturers to get patches out and into customers’ devices “as soon as possible.”
Besides basic security protections – don’t click on unexpected emails or visit fishy websites – Linksys also recommends periodically checking that there are no unfamiliar devices connected to your network. If so, block them and/or change your Wi-Fi network password and, as always, use a strong admin password for your router and enable automatic updates.
The hardware giant published an advisory with a list of affected products longer than your arm. It’s still working to evaluate fixes, so check back: It will continue to update the advisory as it works through this blizzard.
Thanks to the nine-month embargo on disclosure, many affected devices and software have already been (quietly) fixed. That includes already applied Linux patches. Microsoft released its patches early, on March 9, which was actually the original date set for disclosure until it was decided to delay. Microsoft had already committed to shipping certain patches on March 9: a decision with which Vanhoef said he agreed, given that “releasing certain patches without providing information about the vulnerabilities was, at that point, an acceptable risk. Put differently, the advantages of delaying the disclosure appeared to outweigh the risk that someone would reverse engineer the patches and rediscover certain attacks.”
As for all the other Wi-Fi device vendors, Vanhoef recommended checking with them to find out whether the Frag Attacks have been addressed. “[F]or some devices the impact is minor, while for others it’s disastrous,” he said.
What To Do if Your Device Isn’t Patched Yet
Using a VPN can prevent attacks where an adversary is trying to exfiltrate data, but it won’t prevent an attacker from bypassing your router’s NAT/firewall to directly attack devices.
Vanhoef passed along these general security best practices:
- Update your devices, including IoT/smart devices, which don’t all receive regular updates
- Don’t reuse your passwords
- Back up important data
- Keep off of dicey websites
- Double-check that websites you visit use HTTPS, or better yet, install the HTTPS Everywhere plugin, which forces HTTPS usages on websites that are known to support it
- Manually configure your DNS server to prevent poisoning.
051221 12:20 UPDATE: Added commentary from Yaniv Bar-Dayan.
051221 13:03 UPSRW: Included vendor response data.