Every Wi-Fi devices are vulnerable to FragAttacks: Security Researcher

FragAttacks are a group of recently discovered Wi-Fi security vulnerabilities that affect all Wi-Fi devices, including computers, smartphones, and smart devices (fragmentation and aggregation attacks).

 

Three of these flaws are design flaws in the frame aggregation and frame fragmentation functionalities of the Wi-Fi 802.11 protocol that affect most devices, while the others are Wi-Fi product programming errors.

 

Experiments show that any Wi-Fi device is affected by at least one vulnerability, with most devices being affected by several vulnerabilities, according to security researcher Mathy Vanhoef (New York University Abu Dhabi), who discovered the FragAttacks bugs.

 

All modern Wi-Fi security protocols, including the new WPA3 specification, are affected by the discovered flaws.

 

Also read: Ransomware gang leaks Metropolitan Police Department’s data

 

 

Also, the original Wi-Fi protection protocol, known as WEP, is vulnerable. Since its introduction in 1997, Wi-Fi has seen the majority of its interface shortcomings.

 

Threat actors exploiting these design and deployment vulnerabilities must be within Wi-Fi range of the targeted devices in order to steal confidential user data and execute malicious code after successful exploitation, which could lead to complete device takeover.

 

You might also like: Adobe releases patches for zero-day vulnerability in Adobe Reader

 

 

The design vulnerabilities are difficult to exploit since they need user intervention or can only be exploited with unusual network settings.

 

However, the programming errors behind some of the FragAttacks flaws are simple to exploit, allowing attackers to easily take advantage of unpatched Wi-Fi devices.

 

 

The following FragAttacks CVEs are related to Wi-Fi design flaws:

  • CVE-2020-26145:Accepting plaintext broadcast fragments as full frames (in an encrypted network).
  • CVE-2020-26144:Accepting plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrypted network).
  • CVE-2020-26140:Accepting plaintext data frames in a protected network.
  • CVE-2020-26143:Accepting fragmented plaintext data frames in a protected network.

 

Other implementation flaws discovered by Vanhoef include:

  • CVE-2020-26139:Forwarding EAPOL frames even though the sender is not yet authenticated (should only affect APs).
  • CVE-2020-26146:Reassembling encrypted fragments with non-consecutive packet numbers.
  • CVE-2020-26147:Reassembling mixed encrypted/plaintext fragments.
  • CVE-2020-26142:Processing fragmented frames as full frames.
  • CVE-2020-26141:Not verifying the TKIP MIC of fragmented frames.

 

 

 

 

The researcher has released a video demonstrating how attackers could take control of an unpatched Windows 7 device within a target’s local network.

 

 

 

Vendors are developing patches for their products to fix the FragAttacks bugs, according to the Industry Consortium for Advancement of Security on the Internet (ICASI).

 

FragAttacks security updates and advisories have already been released by Cisco Systems, HPE/Aruba Networks, Juniper Networks, Sierra Wireless, and Microsoft.

 

ICASI and the Wi-Fi Alliance oversaw a 9-month synchronized disclosure process that resulted in these security changes.

 

According to the Wi-Fi Alliance, there is no indication that the vulnerabilities have been maliciously exploited, and that these issues can be addressed by regular device updates that allow for the identification of suspect transmissions or increase adherence to recommended security implementation practices.

 

You might also like: Android banking malware-Teabot exploited in the wild

 

Users should make sure they have the most recent updates from their device manufacturers enabled.

 

Any of the attacks can also be mitigated by users whose system vendor has not yet released security updates.

 

This can be accomplished by using the Hypertext Transfer Protocol Secure (HTTPS) protocol on all websites and online services you visit.

 

In Wi-Fi 6 (802.11ax)  devices, users can also disable fragmentation, pairwise rekeys, and dynamic fragmentation.

 

On GitHub, there’s even an open-source tool for determining if the network’s access points and Wi-Fi clients are vulnerable to the FragAttacks flaws.