Silex Unwired

FragAttack: What you need to know?

FRAG ATTACK LogoFragAttacks are a brand new collection of vulnerabilities that affect all Wi-Fi-enabled devices announced just a few weeks ago. Some of these vulnerabilities have been hidden in Wi-Fi for over 24 years since the first Wi-Fi version. FragAttacks affect every version of Wi-Fi wep, wpa, wpa2, and even the brand new wpa3 is susceptible to these hacks.

The researcher who discovered these new vulnerabilities, Mathy Vanhoef, is a veteran Wi-Fi hacker. He is the guy who uncovered the crack and dragonblood Wi-Fi hacks. He reported FragAttacks to the Wi-Fi alliance nine months ago. Since then, they have been frantically working on fixes before making knowledge of the vulnerabilities public. 
All Wi-Fi-enabled devices are susceptible to at least one of the FragAttacks. Nevertheless, how many devices remain unpatched? Have any people been hacked using these vulnerabilities? Moreover, how do they even work?

How do these FragAttacks render your Wi-Fi device vulnerable?

These FragAttacks consist of two types of vulnerabilities:

Design Flaws:

The design flaws are vulnerabilities in the Wi-Fi standard itself. So these bugs will affect pretty much all devices. Design flaws are not quite that concerning. While they can be used to exfiltrate data and inject malicious code, they are rather tricky to implement and require user interaction.

Aggregation

The first design flaw works because Wi-Fi often combines multiple small packets of data into larger packets. The larger packet contains a flag that lets the receiving computer know if it contains multiple packets. Mathy Vanhoef discovered that this flag is not authenticated, which means it can be modified, allowing a victim to be tricked into processing the encrypted transported data in an unintended manner. In English, this means that malicious packets can be injected into a network by an attacker, which could force a victim into using a malicious DNS server, for example. This works even when a victim network is password protected.

Fragmentation

The other design flaw works on the opposite principle: Wi-Fi sometimes splits larger packets into several smaller ones. By exploiting vulnerabilities in how data sent utilizing this feature is decrypted, an adversary can exfiltrate data from a victim, even from a password-protected network.
As I mentioned, these design flaws are pretty tricky to implement. However, the implementation flaws are a whole lot worse.

Implementation Flaws

The implementation flaws, however, are a little more spicy. Implementation flaws are caused by widespread programming mistakes introduced by the manufacturers of Wi-Fi devices. These vulnerabilities are much easier to exploit than the design flaws and are therefore of most concern.

Our Wi-Fi hacking veteran (Mathy) discovered that certain Wi-Fi devices accept an unencrypted frame even when connected to a protected Wi-Fi network. This is a significant flaw and is the headline vulnerability in the FragAttack arsenal. Mathy demonstrates this vulnerability. All he has to do is specify a network to attack and the mac address of the victim. He manages to turn off an iot light bulb by injecting unauthorized packets, which is connected to a password-protected network.


Hacker turning off your lights probably is not very high up on your list of worries. Nevertheless, it is just an example. This flaw could be abused to inject anything. If the victim, in this case, the light bulb, relies only on Wi-Fi for its security, it can be compromised. If it uses HTTPS or some other security protocol, then it is still potentially safe from this hack.

Various other implementation vulnerabilities have been discovered. A common theme among them is Wi-Fi clients or networks not checking to see if data is authenticated or processing data in such a way that allows a bad actor to inject malicious code.
Each of these vulnerabilities has been assigned a corresponding CVE identifier.

Design Flaws
CVE-2020-24586 Fragment cache attack (not clearing fragments from memory when (re)connecting to a network).
CVE-2020-24587 Mixed key attack (reassembling fragments encrypted under different keys).
CVE-2020-24588 Aggregation attack (accepting non-SPP A-MSDU frames).
Implementation Vulnerabilities
(Trivial injection of plaintext frames in a protected Wi-Fi network)
CVE-2020-26145 Accepting plaintext broadcast fragments as full frames (in an encrypted network).
CVE-2020-26144 Accepting plaintext, A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrypted network).
CVE-2020-26140 Accepting plaintext data frames in a protected network
CVE-2020-26143 Accepting fragmented plaintext data frames in a protected network.
Other Implementation Flaws
CVE-2020-26139 Forwarding EAPOL frames even though the sender is not yet authenticated (should only affect APs).
CVE-2020-26146 Reassembling encrypted fragments with non-consecutive packet numbers.
CVE-2020-26147 Reassembling mixed encrypted/plaintext fragments.
CVE-2020-26142 Processing fragmented frames as full frames.
CVE-2020-26141 Not verifying the TKIP MIC of fragmented frames.

Can you test your devices for vulnerability?

Mathy has released a set of tools that helps test clients and access points to see if they are vulnerable to these "FragAttacks." A live usb version of these tools comes with all the drivers and everything you need pre-installed. You should probably best use that if you are interested. Also, while there is a great level of documentation, the installation process looks a little involved. Learn more at https://www.fragattacks.com/. 

Are there any ways to defend if your device is vulnerable?

Yes. You can protect yourself or minimize the threat by:

  • Making sure that you're using "https" as it acts as an additional layer of protection
  • Also configure your DNS server such that it cannot be poisoned

There are also some lower-level settings you can change; however, the good news is that there is no evidence of these hacks being used in the wild. The hacks also require an attacker to be within range of the devices they want to exploit.

What is Silex's plan to get its devices updated?

Please note that the above list is the complete set of vulnerabilities discovered by the research team, but not all products contain all vulnerabilities. We are assessing which of our products contain which vulnerabilities, and future communications will contain information on impacted products and remediation instructions. In the meantime, please contact our sales@silexamerica.com if you have any specific questions on your Silex product.