Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/14/2021
10:50 AM
50%
50%

Wi-Fi Design, Implementation Flaws Allow a Range of Frag Attacks

Every Wi-Fi product is affected by at least one fragmentation and aggregation vulnerability, which could lead to a machine-in-the-middle attack, researcher says.

The ubiquitous Wi-Fi standard has at least three design flaws that allow a local attacker to intercept and exfiltrate wireless traffic, while additional implementation flaws enable more serious attacks for some wireless traffic, a well-known security researcher revealed this week. 

The design flaws in the IEEE 802.11 standard — more commonly known as Wi-Fi — allow an attacker who has tricked a user into visiting an attacker-controlled server to create a TCP connection and create a machine-in-the-middle (MitM) scenario, stated Mathy Vanhoef, a post-doctoral researcher at New York University Abu Dhabi, in an in-depth analysis of the security weaknesses. In addition, several vulnerabilities in specific Wi-Fi implementations make the issue more serious, allowing an attacker to gain additional access.

Related Content:

Secure Wifi Hijacked by KRACK Vulns in WPA2

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: Cybersecurity: What Is Truly Essential?

The results affect all protected Wi-Fi networks, starting with the older WEP standard and going all the way to the most recent version of Wi-Fi Protected Access, or WPA3, said Vanhoef in a paper to be presented at the prestigious USENIX Security Conference in August. The disclosure this week came after a nine-month coordinated effort to patch the flaws, he stated.

"The discovery of these vulnerabilities comes as a surprise because the security of Wi-Fi has in fact significantly improved over the past years," he said. "Unfortunately, a feature that could have prevented one of the newly discovered design flaws was not adopted in practice, and the other two design flaws are present in a feature of Wi-Fi that was previously not widely studied."

The three vulnerabilities in the 802.11 standard, by themselves, are not critical security risks. To exploit the vulnerabilities, the attacker must lure a targeted user to an attacker-controlled server and also be connected to the same Wi-Fi network as the victim, Vanhoef stated in his analysis.  

However, Vanhoef also found a number of implementation flaws related to the weaknesses, such as Wi-Fi devices that accept any unencrypted data frame, that allow more serious attacks. The overall implications of the vulnerabilities are unlikely to be understood for some time, says Keatron Evans, principal security researcher at cybersecurity education provider Infosec.

"What's most interesting is the fact that these latest vulnerabilities are really old and have been around for many years," he says. "It's also interesting that now that it is a topic of discussion, but we have yet to see what new and novel Wi-Fi attack vectors spawn from this. I think of them as vulnerabilities that may eventually lead to much more serious vulnerabilities and exploits."

The security research focused on two parts of the Wi-Fi standard: Aggregation allows networks to combine small data frames into larger ones to improve the throughput of the network, while fragmentation allows a network to do the opposite — split large frames into smaller ones to improve reliability. 

The vulnerable standard allowed plaintext to be injected into a data stream by sending the targeted user to an attacker-controlled server, changing the "is aggregated" flag — which is not authenticated — and then forwarding the data through the network. Two other vulnerabilities affect the way Wi-Fi devices implement fragmentation, which could allow data to sometimes be exfiltrated, Vanhoef stated. 

"The biggest risk in practice is likely the ability to abuse the discovered flaws to attack devices in someone's home network," he said. "For instance, many smart home and Internet of Things devices are rarely updated, and Wi-Fi security is the last line of defense that prevents someone from attacking these devices. Unfortunately, due to the discovered vulnerabilities, this last line of defense can now be bypassed."

Vanhoef is a well-known security researcher, having previously discovered the original key reinstallation attacks (KRACK) vulnerabilities in wireless networks.

While the attack requires a "perfect storm" of not only proximity but user interaction, the addition of nine other implementation flaws in different Wi-Fi devices and product means the potential for an attack should not be ignored, said Yaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber, a vulnerability remediation orchestration provider, in a statement.

"That doesn't mean that these vulnerabilities can be ignored. This latest discovery should be a reminder that cyber hygiene best practices are critically important," he said. "End users and administrators alike need to be coordinated in their efforts to regularly patch connected devices, which include routers, IoT devices, and smartphones."

Companies that manage and monitor their devices should make sure the security updates are available — a list of products affected can be found on Vanhoef's GitHub page — and that devices have been updated, says Infosec's Evans.

"If an organization is already matured to where they are doing most of the security 101 stuff like patching, antivirus. and other endpoint protection, they will most likely be fine," he said. "There is an opportunity for some disruption and potentially some information leakage for unencrypted communications over the Wi-Fi."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31618
PUBLISHED: 2021-06-15
Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the size limitations as configured for the server and used for the HTTP/1 protocol as well. On violation of these restrictions and HTTP response is sent to the client with a status code indicating why...
CVE-2021-20027
PUBLISHED: 2021-06-14
A buffer overflow vulnerability in SonicOS allows a remote attacker to cause a Denial of Service (DoS) by sending a specially crafted request. This vulnerability affects SonicOS Gen5, Gen6, Gen7 platforms, and SonicOSv virtual firewalls.
CVE-2021-32684
PUBLISHED: 2021-06-14
magento-scripts contains scripts and configuration used by Create Magento App, a zero-configuration tool-chain which allows one to deploy Magento 2. In versions 1.5.1 and 1.5.2, after changing the function from synchronous to asynchronous there wasn't implemented handler in the start, stop, exec, an...
CVE-2021-34693
PUBLISHED: 2021-06-14
net/can/bcm.c in the Linux kernel through 5.12.10 allows local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized.
CVE-2021-27887
PUBLISHED: 2021-06-14
Cross-site Scripting (XSS) vulnerability in the main dashboard of Ellipse APM versions allows an authenticated user or integrated application to inject malicious data into the application that can then be executed in a victim’s browser. This issue affects: Hitachi ABB Power Grids ...