Every Wi-Fi Device Back to 1997 Likely Vulnerable to FragAttacks

The FragAttack logo (a wifi symbol with many broken symbols) over a grey background.
Darlee Urbiztondo

Mathy Vanhoef, a security researcher known for finding holes in Wi-Fi security, has found a new avenue of breaking into Wi-Fi devices dubbed FragAttacks (fragmentation and aggregation attacks). The method works on every Wi-Fi device back to 1997, but thankfully some patches are already out.

FragAttacks comprise a series of vulnerabilities, three of which go back to Wi-Fi implementation introduced in 1997. The vulnerabilities affect all modern Wi-Fi security protocols, from WPA-3 all the back to WEP. 

In a demonstration, Vanhoef showed that the FragAttacks lead to several worrying possibilities. The demo shows Vanhoef turning on and off insecurity IOT smart plugs, stealing usernames and passwords, and even taking over a Windows 7 machine inside a “secure” network. Stealing credentials and taking over computers is a big worry, to say the least.

To understand the vulnerabilities, it’s important to know how a Wi-Fi network works. Networks prevent getting overwhelmed by breaking down data into packets for transmission. These data packet fragments are later collected and reassembled. Rather than transmitting all the data together, sending fragments with smaller frames will help throughput on a network. 

Frames are similar to data packets; they’re small parts of a message on a network. Frames serve as a handshake between devices and will contain more information about the message than a packet will. The vulnerabilities attack those facets of Wi-Fi networks to inject malicious frames on the network. FragAttacks can trick your network into accepting a fraudulent handshake message.

When your network accepts the handshake message, it then accepts a second subframe connected to the first “handshake message,” which passes on the real malicious data. As Vanhoef put it, “In a sense, one part of the code will think the frame is a handshake message and will accept it even though it’s not encrypted. Another part of the code will instead see it as an aggregated frame and will process the packet that the adversary wants to inject.”

The attack works with any Wi-Fi device and network, even ones that don’t support fragmentation and aggregation. That’s because those devices treat subframes as full frames and accept the malicious data. Several flaws in Wi-Fi implementation make all of this possible.

The good news is, Vanhoef disclosed the vulnerabilities responsibly and gave a nine-month lead time. Microsoft already released patches for Windows 10 that should mitigate the problem, and a fix for Linux is coming. But that still leaves plenty of IOT devices, routers, and macOS vulnerable. Vanhoef even managed to trick a macOS device to switch to a malicious DNS server, redirecting unsuspecting users to sites owned by a hacker. And with a malicious DNS server in place, the hacker could exfiltrate private data, like usernames, passwords, and possibly more.

The better news is, most of the vulnerabilities are hard to advantage of in the wild. At least currently. But, Vanhoef says the programming flaws that led to the vulnerability are trivial to abuse. You can, however, mitigate the exfiltration problem by sticking to HTTPS sites. Properly secured sites will prevent the bad actor from seeing your data in transit.

For now, update your devices as quickly as you can, especially Windows 10 devices as Microsoft already released patches. And stick to HTTPS whenever possible, whether or not you’re up to date. The newly opened FragAttacks site describing the vulnerabilities also suggests “disabling fragmentation, disabling pairwise rekeys, and disabling dynamic fragmentation in Wi-Fi 6 (802.11ax) devices.” And an opensource tool on Github can help test if your routers are still vulnerable.

Source

Author: admin

Leave a Reply

Your email address will not be published. Required fields are marked *