Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT

FragAttacks Foil 2 Decades of Wireless Security

Wireless security protocols have improved, but product vendors continue to make implementation errors that allow a variety of attacks.

The evolution of wireless security could at best be described as trial and error. The initial standard that debuted in the late 1990s — Wired Equivalent Privacy (WEP) — had significant security problems, and the first two version of Wireless Protected Access, WPA and WPA2, both have been found to be vulnerable to a variety of other security issues.

The trials continue with a host of so-called fragmentation attacks, or FragAttacks, that abuse the aggregation and fragmentation to allow machine-in-the-middle attacks. Details of the vulnerabilities, which have been kept secret for nine months, were disclosed at the Black Hat USA briefings on Aug. 5.

The issues occur in the way that small network packets are combined for transport, known as aggregation, or the way that large network packets are split up to improve reliability, known as aggregation. Even devices using WPA3, the latest wireless security standard, can be vulnerable, Mathy Vanhoef, a postdoctoral researcher at New York University Abu Dhabi, said during his Black Hat presentation.

"The fragmentation and aggregation functionality of Wi-Fi were never considered security-essential, so no one really looked at them," he said, adding: "This really shows that all implementations are vulnerable — even, surprisingly, those that don't support fragmentation and those that don't support aggregation."

The vulnerabilities — which Vanhoef described as design flaws in the IEEE 802.11 standard, more commonly known as Wi-Fi — were described in a paper released in June. The issues allow a local attacker who has fooled a victim into connecting to an attacker-controlled server to then insert themselves into the Wi-Fi network as a machine in the middle.

Vanhoef characterized these as design flaws because the specific mitigations are optional and not required, a lesson for future implementers of the standard.

"We should adopt defenses early, even if the concerns are theoretic, because that, for example, would have prevented the aggregation design flaw," he said. In addition, testing the software should be part of the credentialing process for vendors' devices, he added. "We should keep fuzzing devices; ... the Wi-Fi Alliance could fuzz devices while they are being certified."

Vanhoef discovered three design flaws in the current Wi-Fi standard. The first, CVE-2020-24588, allows an attacker to abuse the way that Wi-Fi aggregates smaller data packets into larger frames to optimize wireless data rates. The researcher used the attack to send victims on the local Wi-Fi network to an attacker-controlled domain name service (DNS) server, and then onto malicious website.

A second flaw, CVE-2020-24587, takes advantage of the specification's failure to verify that each fragment of a packet is using the same encryption key. Using a specially constructed packet, an attacker can append code onto a legitimate fragment of the victim's original packet.

"While this actually seems secure, the problems begin when fragmentation is combined with session-key renewal," Vanhoef said. "When the key is renewed, the packet numbers will be reset to 0. ... The problem is that the receiver will reassemble the packets even if the sender used different encryption keys."

The final flaw, CVE-2020-24586, takes advantage of the lack of deletion of packet fragments from legitimate users on a Wi-Fi network. A malicious user can cache packets on the Wi-Fi network, which, under certain circumstances, will be inserted into other users' packets.

To allow vendors and researchers to verify the issues, Vanhoef published a testing tool to GitHub. The software requires the credentials of the Wi-Fi network, so it is not considered an attack tool.

Many device makers still do not handle vulnerability disclosure well. Vanhoef worked with the Wi-Fi Alliance to disclose the issues to vendors, and most issued patches. Vanhoef modified the test tool for specific vendors and continues to work with the group to support vendors.

"To my surprise, some companies were not happy, even if they managed to write patches for most devices," he said. "I was actually happy that most devices got patches, because usually that is not the case for Wi-Fi."

At the end of 2020, two new security measures became standard for WPA3 — operating channel validation and beacon protection — and while they make the fragmentation attacks harder, they are still possible.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Enterprise Cybersecurity Plans in a Post-Pandemic World
Download the Enterprise Cybersecurity Plans in a Post-Pandemic World report to understand how security leaders are maintaining pace with pandemic-related challenges, and where there is room for improvement.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21742
PUBLISHED: 2021-09-25
There is an information leak vulnerability in the message service app of a ZTE mobile phone. Due to improper parameter settings, attackers could use this vulnerability to obtain some sensitive information of users by accessing specific pages.
CVE-2020-20508
PUBLISHED: 2021-09-24
Shopkit v2.7 contains a reflective cross-site scripting (XSS) vulnerability in the /account/register component, which allows attackers to hijack user credentials via a crafted payload in the E-Mail text field.
CVE-2020-20514
PUBLISHED: 2021-09-24
A Cross-Site Request Forgery (CSRF) in Maccms v10 via admin.php/admin/admin/del/ids/<id>.html allows authenticated attackers to delete all users.
CVE-2016-6555
PUBLISHED: 2021-09-24
OpenNMS version 18.0.1 and prior are vulnerable to a stored XSS issue due to insufficient filtering of SNMP trap supplied data. By creating a malicious SNMP trap, an attacker can store an XSS payload which will trigger when a user of the web UI views the events list page. This issue was fixed in ver...
CVE-2016-6556
PUBLISHED: 2021-09-24
OpenNMS version 18.0.1 and prior are vulnerable to a stored XSS issue due to insufficient filtering of SNMP agent supplied data. By creating a malicious SNMP 'sysName' or 'sysContact' response, an attacker can store an XSS payload which will trigger when a user of the web UI views the data. This iss...