Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

End of Bibblio RCM includes -->

FragAttacks Foil 2 Decades of Wireless Security

Wireless security protocols have improved, but product vendors continue to make implementation errors that allow a variety of attacks.

The evolution of wireless security could at best be described as trial and error. The initial standard that debuted in the late 1990s — Wired Equivalent Privacy (WEP) — had significant security problems, and the first two version of Wireless Protected Access, WPA and WPA2, both have been found to be vulnerable to a variety of other security issues.

The trials continue with a host of so-called fragmentation attacks, or FragAttacks, that abuse the aggregation and fragmentation to allow machine-in-the-middle attacks. Details of the vulnerabilities, which have been kept secret for nine months, were disclosed at the Black Hat USA briefings on Aug. 5.

The issues occur in the way that small network packets are combined for transport, known as aggregation, or the way that large network packets are split up to improve reliability, known as aggregation. Even devices using WPA3, the latest wireless security standard, can be vulnerable, Mathy Vanhoef, a postdoctoral researcher at New York University Abu Dhabi, said during his Black Hat presentation.

"The fragmentation and aggregation functionality of Wi-Fi were never considered security-essential, so no one really looked at them," he said, adding: "This really shows that all implementations are vulnerable — even, surprisingly, those that don't support fragmentation and those that don't support aggregation."

The vulnerabilities — which Vanhoef described as design flaws in the IEEE 802.11 standard, more commonly known as Wi-Fi — were described in a paper released in June. The issues allow a local attacker who has fooled a victim into connecting to an attacker-controlled server to then insert themselves into the Wi-Fi network as a machine in the middle.

Vanhoef characterized these as design flaws because the specific mitigations are optional and not required, a lesson for future implementers of the standard.

"We should adopt defenses early, even if the concerns are theoretic, because that, for example, would have prevented the aggregation design flaw," he said. In addition, testing the software should be part of the credentialing process for vendors' devices, he added. "We should keep fuzzing devices; ... the Wi-Fi Alliance could fuzz devices while they are being certified."

Vanhoef discovered three design flaws in the current Wi-Fi standard. The first, CVE-2020-24588, allows an attacker to abuse the way that Wi-Fi aggregates smaller data packets into larger frames to optimize wireless data rates. The researcher used the attack to send victims on the local Wi-Fi network to an attacker-controlled domain name service (DNS) server, and then onto malicious website.

A second flaw, CVE-2020-24587, takes advantage of the specification's failure to verify that each fragment of a packet is using the same encryption key. Using a specially constructed packet, an attacker can append code onto a legitimate fragment of the victim's original packet.

"While this actually seems secure, the problems begin when fragmentation is combined with session-key renewal," Vanhoef said. "When the key is renewed, the packet numbers will be reset to 0. ... The problem is that the receiver will reassemble the packets even if the sender used different encryption keys."

The final flaw, CVE-2020-24586, takes advantage of the lack of deletion of packet fragments from legitimate users on a Wi-Fi network. A malicious user can cache packets on the Wi-Fi network, which, under certain circumstances, will be inserted into other users' packets.

To allow vendors and researchers to verify the issues, Vanhoef published a testing tool to GitHub. The software requires the credentials of the Wi-Fi network, so it is not considered an attack tool.

Many device makers still do not handle vulnerability disclosure well. Vanhoef worked with the Wi-Fi Alliance to disclose the issues to vendors, and most issued patches. Vanhoef modified the test tool for specific vendors and continues to work with the group to support vendors.

"To my surprise, some companies were not happy, even if they managed to write patches for most devices," he said. "I was actually happy that most devices got patches, because usually that is not the case for Wi-Fi."

At the end of 2020, two new security measures became standard for WPA3 — operating channel validation and beacon protection — and while they make the fragmentation attacks harder, they are still possible.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
How Machine Learning, AI & Deep Learning Improve Cybersecurity
Machine intelligence is influencing all aspects of cybersecurity. Organizations are implementing AI-based security to analyze event data using ML models that identify attack patterns and increase automation. Before security teams can take advantage of AI and ML tools, they need to know what is possible. This report covers: -How to assess the vendor's AI/ML claims -Defining success criteria for AI/ML implementations -Challenges when implementing AI
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2022-09-28
An HTML injection/reflected Cross-site scripting (XSS) vulnerability was found in the ovirt-engine. A parameter "error_description" fails to sanitize the entry, allowing the vulnerability to trigger on the Windows Service Accounts home pages.
PUBLISHED: 2022-09-28
XXL-JOB 2.2.0 has a Command execution vulnerability in background tasks.
PUBLISHED: 2022-09-28
Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. Starting with version 17.1.0-rc.1, improperly formed beacon events can disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data safely. Note that the matrix-js-sdk...
PUBLISHED: 2022-09-28
readelf in ToaruOS 2.0.1 has some arbitrary address read vulnerabilities when parsing a crafted ELF file.
PUBLISHED: 2022-09-28
A stored Cross-Site Scripting (XSS) vulnerability exists in version 1.0 of the Expense Management System application that allows for arbitrary execution of JavaScript commands through index.php.