Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

End of Bibblio RCM includes -->

Wi-Fi Design, Implementation Flaws Allow a Range of Frag Attacks

Every Wi-Fi product is affected by at least one fragmentation and aggregation vulnerability, which could lead to a machine-in-the-middle attack, researcher says.

The ubiquitous Wi-Fi standard has at least three design flaws that allow a local attacker to intercept and exfiltrate wireless traffic, while additional implementation flaws enable more serious attacks for some wireless traffic, a well-known security researcher revealed this week. 

The design flaws in the IEEE 802.11 standard — more commonly known as Wi-Fi — allow an attacker who has tricked a user into visiting an attacker-controlled server to create a TCP connection and create a machine-in-the-middle (MitM) scenario, stated Mathy Vanhoef, a post-doctoral researcher at New York University Abu Dhabi, in an in-depth analysis of the security weaknesses. In addition, several vulnerabilities in specific Wi-Fi implementations make the issue more serious, allowing an attacker to gain additional access.

Related Content:

Secure Wifi Hijacked by KRACK Vulns in WPA2

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: Cybersecurity: What Is Truly Essential?

The results affect all protected Wi-Fi networks, starting with the older WEP standard and going all the way to the most recent version of Wi-Fi Protected Access, or WPA3, said Vanhoef in a paper to be presented at the prestigious USENIX Security Conference in August. The disclosure this week came after a nine-month coordinated effort to patch the flaws, he stated.

"The discovery of these vulnerabilities comes as a surprise because the security of Wi-Fi has in fact significantly improved over the past years," he said. "Unfortunately, a feature that could have prevented one of the newly discovered design flaws was not adopted in practice, and the other two design flaws are present in a feature of Wi-Fi that was previously not widely studied."

The three vulnerabilities in the 802.11 standard, by themselves, are not critical security risks. To exploit the vulnerabilities, the attacker must lure a targeted user to an attacker-controlled server and also be connected to the same Wi-Fi network as the victim, Vanhoef stated in his analysis.  

However, Vanhoef also found a number of implementation flaws related to the weaknesses, such as Wi-Fi devices that accept any unencrypted data frame, that allow more serious attacks. The overall implications of the vulnerabilities are unlikely to be understood for some time, says Keatron Evans, principal security researcher at cybersecurity education provider Infosec.

"What's most interesting is the fact that these latest vulnerabilities are really old and have been around for many years," he says. "It's also interesting that now that it is a topic of discussion, but we have yet to see what new and novel Wi-Fi attack vectors spawn from this. I think of them as vulnerabilities that may eventually lead to much more serious vulnerabilities and exploits."

The security research focused on two parts of the Wi-Fi standard: Aggregation allows networks to combine small data frames into larger ones to improve the throughput of the network, while fragmentation allows a network to do the opposite — split large frames into smaller ones to improve reliability. 

The vulnerable standard allowed plaintext to be injected into a data stream by sending the targeted user to an attacker-controlled server, changing the "is aggregated" flag — which is not authenticated — and then forwarding the data through the network. Two other vulnerabilities affect the way Wi-Fi devices implement fragmentation, which could allow data to sometimes be exfiltrated, Vanhoef stated. 

"The biggest risk in practice is likely the ability to abuse the discovered flaws to attack devices in someone's home network," he said. "For instance, many smart home and Internet of Things devices are rarely updated, and Wi-Fi security is the last line of defense that prevents someone from attacking these devices. Unfortunately, due to the discovered vulnerabilities, this last line of defense can now be bypassed."

Vanhoef is a well-known security researcher, having previously discovered the original key reinstallation attacks (KRACK) vulnerabilities in wireless networks.

While the attack requires a "perfect storm" of not only proximity but user interaction, the addition of nine other implementation flaws in different Wi-Fi devices and product means the potential for an attack should not be ignored, said Yaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber, a vulnerability remediation orchestration provider, in a statement.

"That doesn't mean that these vulnerabilities can be ignored. This latest discovery should be a reminder that cyber hygiene best practices are critically important," he said. "End users and administrators alike need to be coordinated in their efforts to regularly patch connected devices, which include routers, IoT devices, and smartphones."

Companies that manage and monitor their devices should make sure the security updates are available — a list of products affected can be found on Vanhoef's GitHub page — and that devices have been updated, says Infosec's Evans.

"If an organization is already matured to where they are doing most of the security 101 stuff like patching, antivirus. and other endpoint protection, they will most likely be fine," he said. "There is an opportunity for some disruption and potentially some information leakage for unencrypted communications over the Wi-Fi."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file