Posted by Babar Hashim, June 3, 2021
FragAttack: What you need to know?
FragAttacks are a brand new collection of vulnerabilities that affect all Wi-Fi-enabled devices announced just a few weeks ago. Some of these vulnerabilities have been hidden in Wi-Fi for over 24 years since the first Wi-Fi version. FragAttacks affect every version of Wi-Fi wep, wpa, wpa2, and even the brand new wpa3 is susceptible to these hacks.
The researcher who discovered these new vulnerabilities, Mathy Vanhoef, is a veteran Wi-Fi hacker. He is the guy who uncovered the crack and dragonblood Wi-Fi hacks. He reported FragAttacks to the Wi-Fi alliance nine months ago. Since then, they have been frantically working on fixes before making knowledge of the vulnerabilities public.
All Wi-Fi-enabled devices are susceptible to at least one of the FragAttacks. Nevertheless, how many devices remain unpatched? Have any people been hacked using these vulnerabilities? Moreover, how do they even work?
How do these FragAttacks render your Wi-Fi device vulnerable?
These FragAttacks consist of two types of vulnerabilities:
The design flaws are vulnerabilities in the Wi-Fi standard itself. So these bugs will affect pretty much all devices. Design flaws are not quite that concerning. While they can be used to exfiltrate data and inject malicious code, they are rather tricky to implement and require user interaction.
The first design flaw works because Wi-Fi often combines multiple small packets of data into larger packets. The larger packet contains a flag that lets the receiving computer know if it contains multiple packets. Mathy Vanhoef discovered that this flag is not authenticated, which means it can be modified, allowing a victim to be tricked into processing the encrypted transported data in an unintended manner. In English, this means that malicious packets can be injected into a network by an attacker, which could force a victim into using a malicious DNS server, for example. This works even when a victim network is password protected.
The other design flaw works on the opposite principle: Wi-Fi sometimes splits larger packets into several smaller ones. By exploiting vulnerabilities in how data sent utilizing this feature is decrypted, an adversary can exfiltrate data from a victim, even from a password-protected network.
As I mentioned, these design flaws are pretty tricky to implement. However, the implementation flaws are a whole lot worse.
The implementation flaws, however, are a little more spicy. Implementation flaws are caused by widespread programming mistakes introduced by the manufacturers of Wi-Fi devices. These vulnerabilities are much easier to exploit than the design flaws and are therefore of most concern.
Our Wi-Fi hacking veteran (Mathy) discovered that certain Wi-Fi devices accept an unencrypted frame even when connected to a protected Wi-Fi network. This is a significant flaw and is the headline vulnerability in the FragAttack arsenal. Mathy demonstrates this vulnerability. All he has to do is specify a network to attack and the mac address of the victim. He manages to turn off an iot light bulb by injecting unauthorized packets, which is connected to a password-protected network.
Hacker turning off your lights probably is not very high up on your list of worries. Nevertheless, it is just an example. This flaw could be abused to inject anything. If the victim, in this case, the light bulb, relies only on Wi-Fi for its security, it can be compromised. If it uses HTTPS or some other security protocol, then it is still potentially safe from this hack.
Various other implementation vulnerabilities have been discovered. A common theme among them is Wi-Fi clients or networks not checking to see if data is authenticated or processing data in such a way that allows a bad actor to inject malicious code.
Each of these vulnerabilities has been assigned a corresponding CVE identifier.
|CVE-2020-24586||Fragment cache attack (not clearing fragments from memory when (re)connecting to a network).|
|CVE-2020-24587||Mixed key attack (reassembling fragments encrypted under different keys).|
|CVE-2020-24588||Aggregation attack (accepting non-SPP A-MSDU frames).|
(Trivial injection of plaintext frames in a protected Wi-Fi network)
|CVE-2020-26145||Accepting plaintext broadcast fragments as full frames (in an encrypted network).|
|CVE-2020-26144||Accepting plaintext, A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrypted network).|
|CVE-2020-26140||Accepting plaintext data frames in a protected network|
|CVE-2020-26143||Accepting fragmented plaintext data frames in a protected network.|
|Other Implementation Flaws|
|CVE-2020-26139||Forwarding EAPOL frames even though the sender is not yet authenticated (should only affect APs).|
|CVE-2020-26146||Reassembling encrypted fragments with non-consecutive packet numbers.|
|CVE-2020-26147||Reassembling mixed encrypted/plaintext fragments.|
|CVE-2020-26142||Processing fragmented frames as full frames.|
|CVE-2020-26141||Not verifying the TKIP MIC of fragmented frames.|
Can you test your devices for vulnerability?
Mathy has released a set of tools that helps test clients and access points to see if they are vulnerable to these "FragAttacks." A live usb version of these tools comes with all the drivers and everything you need pre-installed. You should probably best use that if you are interested. Also, while there is a great level of documentation, the installation process looks a little involved. Learn more at https://www.fragattacks.com/.
Are there any ways to defend if your device is vulnerable?
Yes. You can protect yourself or minimize the threat by:
- Making sure that you're using "https" as it acts as an additional layer of protection
- Also configure your DNS server such that it cannot be poisoned
There are also some lower-level settings you can change; however, the good news is that there is no evidence of these hacks being used in the wild. The hacks also require an attacker to be within range of the devices they want to exploit.
What is Silex's plan to get its devices updated?
Please note that the above list is the complete set of vulnerabilities discovered by the research team, but not all products contain all vulnerabilities. We are assessing which of our products contain which vulnerabilities, and future communications will contain information on impacted products and remediation instructions. In the meantime, please contact our firstname.lastname@example.org if you have any specific questions on your Silex product.