WiFi devices going back to 1997 vulnerable to new Frag Attacks

A Belgian security researcher has discovered a series of vulnerabilities that impact the WiFi standard, with some bugs dating back as far back as 1997 and affecting devices sold for the past 24 years.

The vulnerabilities, known as Frag Attacks, allow an attacker within a device's WiFi radio range to gather information about the owner and run malicious code to compromise a device, may it be a computer, smartphone, or other smart device.

Devices are also vulnerable even if the WiFi standard's security protocols were activated, such as WEP and WPA.

Design flaws in the WiFi standard itself

"Three of the discovered vulnerabilities are design flaws in the WiFi standard and therefore affect most devices," said Mathy Vanhoef, the Belgian academic and security researcher who found the Frag Attacks.

The rest are vulnerabilities caused "by widespread programming mistakes [in the implementation of the WiFi standard] in WiFi products," Vanhoef said.

"Experiments indicate that every WiFi product is affected by at least one vulnerability and that most products are affected by several vulnerabilities," said Vanhoef, who is also scheduled to give an in-depth talk about his findings later this year in August at the USENIX '21 security conference.

"The discovery of these vulnerabilities comes as a surprise because the security of WiFi has in fact significantly improved over the past years," the Belgian researcher said.

Prior to disclosing the Frag Attacks today, Vanhoef previously discovered the KRACK and Dragonblood attacks. Vanhoef's previous findings have helped the WiFi standard improve its security posture, but his latest findings reside in older sections of the WiFi protocol, not improved by his previous discoveries, and already deployed with devices in the real world for decades.

Patching nightmare to come

Just like for his previous two findings, Vanhoef said he reported his findings to the WiFi Alliance. For the past nine months, the organization has worked to correct its standard and guidelines and work with device vendors to release firmware patches.

Users can check if their device received patches for one or more of the 12 Frag Attacks by checking their device's firmware changelogs and looking for security updates that address the CVE identifiers listed below:

WiFi standard design flaws:

• CVE-2020-24588: aggregation attack (accepting non-SPP A-MSDU frames).
• CVE-2020-24587: mixed key attack (reassembling fragments encrypted under different keys).
• CVE-2020-24586: fragment cache attack (not clearing fragments from memory when (re)connecting to a network).

WiFi standard implementation flaws:

• CVE-2020-26145: Accepting plaintext broadcast fragments as full frames (in an encrypted network).
• CVE-2020-26144: Accepting plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrypted network).
• CVE-2020-26140: Accepting plaintext data frames in a protected network.
• CVE-2020-26143: Accepting fragmented plaintext data frames in a protected network.

Other implementation flaws:

• CVE-2020-26139: Forwarding EAPOL frames even though the sender is not yet authenticated (should only affect APs).
• CVE-2020-26146: Reassembling encrypted fragments with non-consecutive packet numbers.
• CVE-2020-26147: Reassembling mixed encrypted/plaintext fragments.
• CVE-2020-26142: Processing fragmented frames as full frames.
• CVE-2020-26141: Not verifying the TKIP MIC of fragmented frames.

Some patches are out, more to come

If users can't tell if their device was patched, Vanhoef has listed a series of mitigations to protect users against attacks on his website in this section. The most basic protection is to ensure that users are accessing sites via HTTPS connections, which blocks the attacks from taking place. An additional FAQ section answering various other questions is also included on Vanhoef's site.

The Frag Attack was announced on the day of Microsoft's Patch Tuesday for May 2021, and the OS maker has delivered today fixes for three of the 12 bugs that impact Windows systems.

Cisco, HPE/Aruba, and Sierra Wireless have also released patches. Other vendors are scheduled to release their own in the coming weeks, per the Industry Consortium for Advancement of Security on the Internet (ICASI).

As for the technical side, a research paper is also available [PDF]. According to Vanhoef, the core issue at the heart of the Frag Attacks is how the WiFi standard breaks and then reassembles network packets, allowing threat actors to introduce their own malicious code into legitimate content during this operation.

However, Vanhoef said that executing an attack is not straightforward, and some exploits may require user interaction, which means they can't be abused for widespread worm-like attacks but could be useful in targeted or espionage operations.

A demo of a Frag Attack is available below, with a step-by-step explanation from Vanhoef himself.