Millions of UK WiFi Routers and Devices at Risk of FragAttacks

A Belgian security researcher, Mathy Vanhoef, has uncovered a bunch of new vulnerabilities in Wi-Fi (wireless networking) technology that stem from a mix of historic design flaws and programming mistakes, some of which may have been present since all the way back in 1997! You’re about to hear a lot about “FragAttacks.“

The situation, which has caused various WiFi equipped devices and broadband router manufacturers to issue new firmware updates for their devices (here), is likely to affect a significant amount of kit. Companies and consumers who do not keep their devices up-to-date could thus be at risk from hackers (i.e. those within range of your signal, at least).

According to Vanhoef, any attacker within radio range of a victim can “abuse these vulnerabilities to steal user information or attack devices,” which is not great, and it only gets worse. “Experiments indicate that every Wi-Fi product is affected by at least one vulnerability and that most products are affected by several vulnerabilities,” said the researcher (this also includes kit with the latest WPA3 encryption standard).

The good news is that security updates to tackle these vulnerabilities are already being issued by many manufacturers and Vanhoef has also setup the FragAttacks website to help inform people of the dangers. Another bit of good news is that the design flaws are not easy to exploit, but the same cannot be said for those programming mistakes.

Mathy Vanhoef said:

“Fortunately, the design flaws are hard to abuse because doing so requires user interaction or is only possible when using uncommon network settings. As a result, in practice the biggest concern are the programming mistakes in Wi-Fi products since several of them are trivial to exploit.

The discovery of these vulnerabilities comes as a surprise, because the security of Wi-Fi has in fact significantly improved over the past years.”

Apparently, the vulnerabilities have been known about for the best part of a year and what we’re seeing now is a coordinated public disclosure (i.e. after giving companies time to patch), which has been supervised by the Wi-Fi Alliance and ICASI. If updates for your device are not yet available, you can mitigate some attacks (but not all) by assuring that websites use HTTPS and by assuring that your devices received all other available updates.

Vanhoef doesn’t know for certain whether the flaws are already being exploited, although his team have not yet observed any evidence of this. On top of that it took a long time to discover some of the flaws, which do not appear to have been identified before.

The fact that any hacker needs to be in radio range of the target network and the network itself must have certain misconfigured settings further adds to the challenge, as would the need for an attacker to have direct interaction with a user.

The design flaws were assigned the following CVEs:

• CVE-2020-24588: aggregation attack (accepting non-SPP A-MSDU frames).
• CVE-2020-24587: mixed key attack (reassembling fragments encrypted under different keys).
• CVE-2020-24586: fragment cache attack (not clearing fragments from memory when (re)connecting to a network).

Implementation vulnerabilities that allow the trivial injection of plaintext frames in a protected Wi-Fi network are assigned the following CVEs:

• CVE-2020-26145: Accepting plaintext broadcast fragments as full frames (in an encrypted network).
• CVE-2020-26144: Accepting plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrypted network).
• CVE-2020-26140: Accepting plaintext data frames in a protected network.
• CVE-2020-26143: Accepting fragmented plaintext data frames in a protected network.

Other implementation flaws are assigned the following CVEs:

• CVE-2020-26139: Forwarding EAPOL frames even though the sender is not yet authenticated (should only affect APs).
• CVE-2020-26146: Reassembling encrypted fragments with non-consecutive packet numbers.
• CVE-2020-26147: Reassembling mixed encrypted/plaintext fragments.
• CVE-2020-26142: Processing fragmented frames as full frames.
• CVE-2020-26141: Not verifying the TKIP MIC of fragmented frames.

Suffice to say, now is a good time to ensure your devices and software are all up-to-date. Credits to Steve for pointing this out to us.