theDocumentId => 1341015 Wi-Fi Design, Implementation Flaws Allow a Range of ...

Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:50 AM

Wi-Fi Design, Implementation Flaws Allow a Range of Frag Attacks

Every Wi-Fi product is affected by at least one fragmentation and aggregation vulnerability, which could lead to a machine-in-the-middle attack, researcher says.

The ubiquitous Wi-Fi standard has at least three design flaws that allow a local attacker to intercept and exfiltrate wireless traffic, while additional implementation flaws enable more serious attacks for some wireless traffic, a well-known security researcher revealed this week. 

The design flaws in the IEEE 802.11 standard — more commonly known as Wi-Fi — allow an attacker who has tricked a user into visiting an attacker-controlled server to create a TCP connection and create a machine-in-the-middle (MitM) scenario, stated Mathy Vanhoef, a post-doctoral researcher at New York University Abu Dhabi, in an in-depth analysis of the security weaknesses. In addition, several vulnerabilities in specific Wi-Fi implementations make the issue more serious, allowing an attacker to gain additional access.

Related Content:

Secure Wifi Hijacked by KRACK Vulns in WPA2

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: Cybersecurity: What Is Truly Essential?

The results affect all protected Wi-Fi networks, starting with the older WEP standard and going all the way to the most recent version of Wi-Fi Protected Access, or WPA3, said Vanhoef in a paper to be presented at the prestigious USENIX Security Conference in August. The disclosure this week came after a nine-month coordinated effort to patch the flaws, he stated.

"The discovery of these vulnerabilities comes as a surprise because the security of Wi-Fi has in fact significantly improved over the past years," he said. "Unfortunately, a feature that could have prevented one of the newly discovered design flaws was not adopted in practice, and the other two design flaws are present in a feature of Wi-Fi that was previously not widely studied."

The three vulnerabilities in the 802.11 standard, by themselves, are not critical security risks. To exploit the vulnerabilities, the attacker must lure a targeted user to an attacker-controlled server and also be connected to the same Wi-Fi network as the victim, Vanhoef stated in his analysis.  

However, Vanhoef also found a number of implementation flaws related to the weaknesses, such as Wi-Fi devices that accept any unencrypted data frame, that allow more serious attacks. The overall implications of the vulnerabilities are unlikely to be understood for some time, says Keatron Evans, principal security researcher at cybersecurity education provider Infosec.

"What's most interesting is the fact that these latest vulnerabilities are really old and have been around for many years," he says. "It's also interesting that now that it is a topic of discussion, but we have yet to see what new and novel Wi-Fi attack vectors spawn from this. I think of them as vulnerabilities that may eventually lead to much more serious vulnerabilities and exploits."

The security research focused on two parts of the Wi-Fi standard: Aggregation allows networks to combine small data frames into larger ones to improve the throughput of the network, while fragmentation allows a network to do the opposite — split large frames into smaller ones to improve reliability. 

The vulnerable standard allowed plaintext to be injected into a data stream by sending the targeted user to an attacker-controlled server, changing the "is aggregated" flag — which is not authenticated — and then forwarding the data through the network. Two other vulnerabilities affect the way Wi-Fi devices implement fragmentation, which could allow data to sometimes be exfiltrated, Vanhoef stated. 

"The biggest risk in practice is likely the ability to abuse the discovered flaws to attack devices in someone's home network," he said. "For instance, many smart home and Internet of Things devices are rarely updated, and Wi-Fi security is the last line of defense that prevents someone from attacking these devices. Unfortunately, due to the discovered vulnerabilities, this last line of defense can now be bypassed."

Vanhoef is a well-known security researcher, having previously discovered the original key reinstallation attacks (KRACK) vulnerabilities in wireless networks.

While the attack requires a "perfect storm" of not only proximity but user interaction, the addition of nine other implementation flaws in different Wi-Fi devices and product means the potential for an attack should not be ignored, said Yaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber, a vulnerability remediation orchestration provider, in a statement.

"That doesn't mean that these vulnerabilities can be ignored. This latest discovery should be a reminder that cyber hygiene best practices are critically important," he said. "End users and administrators alike need to be coordinated in their efforts to regularly patch connected devices, which include routers, IoT devices, and smartphones."

Companies that manage and monitor their devices should make sure the security updates are available — a list of products affected can be found on Vanhoef's GitHub page — and that devices have been updated, says Infosec's Evans.

"If an organization is already matured to where they are doing most of the security 101 stuff like patching, antivirus. and other endpoint protection, they will most likely be fine," he said. "There is an opportunity for some disruption and potentially some information leakage for unencrypted communications over the Wi-Fi."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-07-26
tinyexr commit 0.9.5 was discovered to contain an array index error in the tinyexr::SaveEXR component, which can lead to a denial of service (DOS).
PUBLISHED: 2021-07-26
tinyexr 0.9.5 was discovered to contain an array index error in the tinyexr::DecodeEXRImage component, which can lead to a denial of service (DOS).
PUBLISHED: 2021-07-26
arch/powerpc/kvm/book3s_rtas.c in the Linux kernel through 5.13.5 on the powerpc platform allows KVM guest OS users to cause host OS memory corruption via rtas_args.nargs, aka CID-f62f3c20647e.
PUBLISHED: 2021-07-26
TX9 Automatic Food Dispenser v3.2.57 devices allow access to a shell as root/superuser, a related issue to CVE-2019-16734. To connect, the telnet service is used on port 23 with the default password of 059AnkJ for the root account. The user can then download the filesystem through preinstalled BusyB...
PUBLISHED: 2021-07-26
Cross Site Scripting (XSS) vulnerablity in CMS Made Simple 2.2.14 via the Logic field in the Content Manager feature.