FragAttacks: a cocktail of WiFi vulnerabilities threatens millions of devices

Times are tough for WiFi. If this wireless network connectivity makes users happy, it is also a real danger and a great attack vector opportunity for hackers. In recent years, security holes in security protocols – both WPA 2 and WPA 3 – have multiplied. With the consequence of making the connections of WiFi terminals (laptops, smartphones, routers, access points, etc.) vulnerable. The situation is not improving with security researcher Mathy Vanhoef at New York University Abu Dhabi who has just unveiled a collection of security breaches affecting WiFi terminals dubbed FragAttacks.

“An adversary who is within radio range of a victim can abuse these vulnerabilities to steal user information or attack devices,” warned Mathy Vanhoef in a post. “Three of the vulnerabilities discovered are design flaws in the WiFi standard and therefore affect most devices.” But that’s not all, as the researcher also noted other security holes caused by widespread programming errors in WiFi products. The researcher’s discovery concerns all recent security protocols from WEP to WPA 3.

Easy to exploit WiFi hardware vulnerabilities

“Design flaws are difficult to exploit because it requires user interaction or is only possible when using unusual network settings,” explains Mathy Vanhoef. “As a result, in practice, the biggest concern is programming errors in WiFi products, as many of them are easy to exploit.” The discovery of these weaknesses is still quite surprising because it comes after the fixes made to the very severe Krack exploit (key reinstallation attacks) allowing to compromise the management of the WPA 2 security keys leading to decryption, packet relay, TCP connection hijacking or injection of compromised HTTP content.

In a video, Mathy Vanhoef gives three examples of how an adversary can take advantage of vulnerabilities. First, the aggregation design flaw is abused to intercept sensitive information (eg the victim’s username and password). Second, it shows how an adversary can exploit unsecured IoT endpoints by remotely turning on and off a connected power outlet. Finally, he showed how vulnerabilities can be used maliciously to launch advanced attacks. An example of taking control of an obsolete Windows 7 machine in a local network is thus detailed.

A burst of 12 published CVEs

Following the publication of this research, the ICASI (industry consortium for advancement of security) issued an alert bulletin listing the various vulnerabilities discovered by Mathy Vanhoef and their associated names: CVE-2020-24586 (deletion of memory fragments during reconnection to a network), CVE-2020-24587 (reassembly of fragments encrypted under different keys), CVE-2020-24588 (acceptance of non-SPP A-MSDU frames), CVE-2020-26139 (transfer of EAPOL frames even if the sender is not yet authenticated), CVE-2020-26140 (acceptance of unencrypted data frames in a protected network), CVE-2020-26141 (non-verification of fragmented TKIP MIC frames), CVE-2020- 26142 (processing fragmented images into full images), CVE-2020-26143 (accepting plain text fragmented data frames in a protected network), CVE-2020-26144 (accepting clear text A-MSDU frames starting with a RFC1042 header with EAPOL EtherType in a network encrypted), CVE-2020-26145 (accepting plain text broadcast fragments as full frames in an encrypted network), CVE-2020-26146 (reassembling encrypted fragments with non-consecutive packet numbers), CVE-2020 -26147 (reassembly of the mixed encrypted / clear fragments).