FragAttacks vulnerabilities expose all WiFi devices to hack

Pierluigi Paganini May 12, 2021

Security researcher discovered a series of flaws, collectively tracked as FragAttacks, that impact the WiFi devices sold for the past 24 years.

Belgian security researcher Mathy Vanhoef disclosed the details of a multiple vulnerabilities, tracked as FragAttacks, that affect WiFi devices exposed them to remote attacks. Some the flaws discovered by the experts date back as far back as 1997.

The vulnerabilities could be exploited by an attacker within a device’s WiFi radio range to steal info from it and also execute malicious code. The devices were exposed to the FragAttacks even if they were using WiFi security protocols such as WEP, WPA, and WPA3.

The issues impact all Wi-Fi security protocols, according to Vanhoef, more than 75 tested Wi-Fi devices were affected by at least one of the FragAttacks flaws, and in the majority of the cases, the devices were vulnerable to multiple vulnerabilities.

“This website presents FragAttacks (fragmentation and aggregation attacks) which is a collection of new security vulnerabilities that affect Wi-Fi devices. An adversary that is within radio range of a victim can abuse these vulnerabilities to steal user information or attack devices. Three of the discovered vulnerabilities are design flaws in the Wi-Fi standard and therefore affect most devices.” reads the website FragAttacks. “On top of this, several other vulnerabilities were discovered that are caused by widespread programming mistakes in Wi-Fi products. Experiments indicate that every Wi-Fi product is affected by at least one vulnerability and that most products are affected by several vulnerabilities.”

The expert discovered three design flaws in the 802.11 standard that underpins WiFi along with common implementation flaws related to aggregation and fragmentation.

The vulnerabilities affect all major operating systems, including Windows, Linux, Android, macOS, and iOS. All The APs that were tested by the experts were also found vulnerable, including professional APs. Vanhoef pointed out that only NetBSD and OpenBSD were not impacted because they do not support the reception of A-MSDUs.

The following video shows three examples of how a threat actor can exploit the vulnerabilities. 

“As the demo illustrates, the Wi-Fi flaws can be abused in two ways. First, under the right conditions they can be abused to steal sensitive data. Second, an adversary can abuse the Wi-Fi flaws to attack devices in someone’s home network.” continues the expert. “The biggest risk in practice is likely the ability to abuse the discovered flaws to attack devices in someone’s home network. For instance, many smart home and internet-of-things devices are rarely updated, and Wi-Fi security is the last line of defense that prevents someone from attacking these devices. Unfortunately, due to the discover vulnerabilities, this last line of defense can now be bypassed. In the demo above, this is illustrated by remotely controlling a smart power plug and by taking over an outdated Windows 7 machine. The Wi-Fi flaws can also be abused to exfiltrate transmitted data.”

Summarizing, the design flaws discovered by the expert are:

  • CVE-2020-24588: aggregation attack (accepting non-SPP A-MSDU frames).
  • CVE-2020-24587: mixed key attack (reassembling fragments encrypted under different keys).
  • CVE-2020-24586: fragment cache attack (not clearing fragments from memory when (re)connecting to a network)

while the implementation vulnerabilities are:

  • CVE-2020-26145: Accepting plaintext broadcast fragments as full frames (in an encrypted network).
  • CVE-2020-26144: Accepting plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrypted network).
  • CVE-2020-26140: Accepting plaintext data frames in a protected network.
  • CVE-2020-26143: Accepting fragmented plaintext data frames in a protected network.

and other implementation flaws found by the researcher are:

  • CVE-2020-26139: Forwarding EAPOL frames even though the sender is not yet authenticated (should only affect APs).
  • CVE-2020-26146: Reassembling encrypted fragments with non-consecutive packet numbers.
  • CVE-2020-26147: Reassembling mixed encrypted/plaintext fragments.
  • CVE-2020-26142: Processing fragmented frames as full frames.
  • CVE-2020-26141: Not verifying the TKIP MIC of fragmented frames.

The expert notified affected vendors and has given 9 months to address the issues.

Vanhoef also released a research paper and an open source tool that can be used to determine if Wi-Fi clients and access points are vulnerable to FragAttacks.

Please vote Security Affairs as Best Personal cybersecurity Blog

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, FragAttacks )

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment