Enlarge
Mathy Vanhoef
reader comments
89
with 59 posters participating
Share this story
Share on Facebook
Share on Twitter
Share on Reddit
One of the things that makes Wi-Fi work is its ability to break big chunks of data into smaller chunks and combine smaller chunks into bigger chunks, depending on the needs of the network at any given moment. These mundane network plumbing features, it turns out, have been harboring vulnerabilities that can be exploited to send users to malicious websites or exploit or tamper with network-connected devices, newly published research shows.
In all, researcher Mathy Vanhoef found a dozen vulnerabilities, either in the Wi-Fi specification or in the way the specification has been implemented in huge numbers of devices. Vanhoef has dubbed the vulnerabilities
FragAttacks
, short for fragmentation and aggregation attacks, because they all involve frame fragmentation or frame aggregation. Broadly speaking, they allow people within radio range to inject frames of their choice into networks protected by WPA-based encryption.
Bad news
Further Reading
Serious flaw in WPA2 protocol lets attackers intercept passwords and much more
Assessing the impact of the vulnerabilities isn’t straightforward. FragAttacks allow data to be injected into Wi-Fi traffic, but they don’t make it possible to exfiltrate anything out. That means FragAttacks can’t be used to read passwords or other sensitive information the way a previous Wi-Fi attack of Vanhoef, called
Krack
, did. But it turns out that the vulnerabilities—some that have been part of Wi-Fi since its release in 1997—can be exploited to inflict other kinds of damage, particularly if paired with other types of hacks.
“It's never good to have someone able to drop packets into your network or target your devices on the network,” Mike Kershaw, a Wi-Fi security expert and developer of the open source Kismet wireless sniffer and IDS, wrote in an email. “In some regards, these are no worse than using an unencrypted access point at a coffee shop—someone can do the same to you there, trivially—but because they can happen on networks you'd otherwise think are secure and might have configured as a trusted network, it's certainly bad news.”
He added: “Overall, I think they give someone who was already targeting an attack against an individual or company a foothold they wouldn't have had before, which is definitely impactful, but probably don’t pose as huge a risk as drive-by attacks to the average person.”
While the flaws were disclosed last week in an industry-wide effort nine months in the making, it remains unclear in many cases which devices were vulnerable to which vulnerabilities and which vulnerabilities, if any, have received security updates. It’s almost a certainty that many Wi-Fi-enabled devices will never be fixed.
Rogue DNS injection
One of the most severe vulnerabilities in the FragAttacks suite resides in the Wi-Fi specification itself. Tracked as CVE-2020-24588, the flaw can be exploited in a way that forces Wi-Fi devices to use a rogue DNS server, which in turn can deliver users to malicious websites rather than the ones they intended. From there, hackers can read and modify any unencrypted traffic. Rogue DNS servers also allow hackers to perform
DNS rebinding attacks
, in which malicious websites manipulate a browser to attack other devices connected to the same network.
The rogue DNS server is introduced when an attacker injects an
ICMPv6 Router Advertisement
into Wi-Fi traffic. Routers typically issue these announcements so other devices on the network can locate them. The injected advertisement instructs all devices to use a DNS specified by the attacker for lookups of both IPv6 and IPv4 addresses.
Advertisement
An exploit demoed in a video Vanhoef published shows the attacker luring the target to a website that stashes the router advertisement in an image.
FragAttacks: Demonstration of Flaws in WPA2/3.
Here's a visual overview:
Enlarge
Mathy Vanhoef
In an email, Vanhoef explained, saying, “The IPv6 router advertisement is put in the payload (i.e. data portion) of the TCP packet. This data is by default passed on to the application that created the TCP connection. In the demo, that would be the browser, which is expecting an image. This means that by default, the client won't process the IPv6 router advertisement but instead process the TCP payload as application data.”
Vanhoef said that it’s possible to perform the attack without user interaction when the target’s access point is vulnerable to
CVE-2021-26139
, one of the 12 vulnerabilities that make up the FragAttacks package. The security flaw stems from a kernel flaw in NetBSD 7.1 that causes Wi-Fi access points to forward
Extensible Authentication Protocol (AP) over LAN
frames to other devices even when the sender has not yet authenticated to the AP.
It’s safe to skip ahead, but for those curious about the specific software bug and the reason the video demo uses a malicious image, Vanhoef explained:
Punching a hole in the firewall
Four of the 12 vulnerabilities that make up the FragAttacks are implementation flaws, meaning they stem from bugs that software developers introduced when writing code based on the Wi-Fi specification. An attacker can exploit them against access points to bypass a key security benefit they provide.
Besides allowing multiple devices to share a single Internet connection, routers prevent incoming traffic from reaching connected devices unless the devices have requested it. This firewall works by using network address translation, or NAT, which maps private IP addresses that the AP assigns each device on the local network to a single IP address that the AP uses to send data over the Internet.
Advertisement
The result is that routers forward data to connected devices only when they have previously requested it from a website, email server, or other machine on the Internet. When one of those machines tries to send unsolicited data to a device behind the router, the router automatically discards it. This arrangement
isn’t perfect
, but it does provide a vital defense that protects billions of devices.
Vanhoef figured out how to exploit the four vulnerabilities in a way that allows an attacker to, as he put it, “punch a hole through a router’s firewall.” With the ability to connect directly to devices behind a firewall, an Internet attacker can then send them malicious code or commands.
In one demo in the video, Vanhoef exploits the vulnerabilities to control an Internet-of-things device, specifically to remotely turn on and off a smart power socket. Normally, NAT would prevent a device outside the network from interacting with the socket unless the socket had first initiated a connection. The implementation exploits remove this barrier.
Further Reading
Microsoft practically begs Windows users to fix wormable BlueKeep flaw
In a separate demo, Vanhoef shows how the vulnerabilities allow a device on the Internet to initiate a connection with a computer running Windows 7, an operating system that stopped receiving security updates years ago. The researcher used that ability to gain complete control over the PC by sending it malicious code that exploited a
critical vulnerability called BlueKeep
.
“That means that when an access point is vulnerable, it becomes easy to attack clients!” Vanhoef wrote. “So we're abusing the Wi-Fi implementation flaws in an
access point
as a first step in order to subsequently attack (outdated)
clients
.”
Getting your fix
Despite Vanhoef spending nine months coordinating patches with more than a dozen hardware and software makers, it’s not easy to figure out which devices or software are vulnerable to which vulnerabilities, and of those vulnerable products, which ones have received fixes.
This page
provides the status for products from several companies. A more comprehensive list of known advisories is
here
. Other advisories are available individually from their respective vendors. The vulnerabilities to look for are:
Design flaws:
CVE-2020-24588
: aggregation attack (accepting non-SPP A-MSDU frames)
CVE-2020-24587
: mixed key attack (reassembling fragments encrypted under different keys)
CVE-2020-24586
: fragment cache attack (not clearing fragments from memory when (re)connecting to a network)
Implementation vulnerabilities allowing the injection of plaintext frames:
CVE-2020-26145
: Accepting plaintext broadcast fragments as full frames (in an encrypted network)
CVE-2020-26144
: Accepting plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrypted network)
CVE-2020-26140
: Accepting plaintext data frames in a protected network
CVE-2020-26143
: Accepting fragmented plaintext data frames in a protected network
Other implementation flaws:
CVE-2020-26139
: Forwarding EAPOL frames even though the sender is not yet authenticated (should only affect APs)
CVE-2020-26146
: Reassembling encrypted fragments with non-consecutive packet numbers
CVE-2020-26147
: Reassembling mixed encrypted/plaintext fragments
CVE-2020-26142
: Processing fragmented frames as full frames
CVE-2020-26141
: Not verifying the TKIP MIC of fragmented frames
The most effective way to mitigate the threat posed by FragAttacks is to install all available updates that fix the vulnerabilities. Users will have to do this on each vulnerable computer, router, or other Internet-of-things device. It’s likely that a huge number of affected devices will never receive a patch.
The next-best mitigation is to ensure that websites are always using HTTPS connections. That’s because the encryption HTTPS provides greatly reduces the damage that can be done when a malicious DNS server directs a victim to a fake website.
Sites that use HTTP Strict Transport Security will always use this protection, but Vanhoef said that only about 20 percent of the web does this. Browser extensions like
HTTPS everywhere
were already a good idea, and the mitigation they provide against FragAttacks makes them even more worthwhile.
As noted earlier, FragAttacks aren’t likely to be exploited against the vast majority of Wi-Fi users, since the exploits require a high degree of skill as well as proximity—meaning within 100 feet to a half-mile, depending on the equipment used—to the target. The vulnerabilities pose a higher threat to networks used by high-value targets such as retail chains, embassies, or corporate networks where security is key, and then most likely only in concert with other exploits.
When updates become available, by all means install them, but unless you’re in this latter group, remember that drive-by downloads and other more mundane types of attacks will probably pose a bigger threat.
