Researcher finds vulnerabilities that affect ‘all Wi-Fi devices’

A Belgian security researcher has found a series of vulnerabilities in the 802.11 standard for WiFi. These ‘FragAttacks’ vulnerabilities would affect ‘all Wi-Fi devices’, according to the researcher.

The vulnerability collection was announced under the name this week FragAttacks. These vulnerabilities were discovered by Mathy Vanhoef, a security researcher at New York University Abu Dhabi. The vulnerabilities concern design flaws in the 802.11 standard, which is being developed by the IEEE and is the basis of Wi-Fi.

According to the researcher, the vulnerabilities affect all modern Wi-Fi security protocols, from WEP from 1997 to WPA3, which is part of Wi-Fi 6. This means that almost all Wi-Fi devices are vulnerable to one or more of these design flaws.

According to Vanhoef, it is difficult to exploit the design flaws themselves, as this requires user interaction or is only possible when using ‘unusual network settings’. “In practice, the biggest concern is therefore the programming errors in Wi-Fi products, as several of them are trivial to exploit,” writes the researcher.

Mathy Vanhoef presents FragAttacks during Usenix Security 2021

Disclosure of the vulnerabilities

Security updates have been prepared in recent months to protect users, Vanhoef reports. That happened during a disclosureperiod of nine months, which was overseen by the Wi-Fi Alliance and the ICASI. That latter organization writes that several companies, including Cisco, HPE and Microsoft, already advisories and have published security updates.

When an update is not yet available for a user’s device, some of the vulnerabilities can be mitigated using https. Vanhoef has an open source application that users can use to test whether their devices are vulnerable posted on GitHub. A total of twelve CVE numbers have been assigned to the vulnerabilities, which are listed on the FragAttacks website.

The same website indicates how hackers could exploit these vulnerabilities. Hackers within radio range of a victim could, for example, exploit these vulnerabilities to steal data or to attack devices within the victim’s home network. “Experiments show that every Wi-Fi product is affected by at least one vulnerability and that most products can be affected by multiple vulnerabilities.”

Aggregation attacks and other vulnerabilities

Vanhoef also explains how the various design errors work. Among other things, the researcher writes about an error in the frame aggregationfunction of wifi. It is used to increase the speed and throughput of a Wi-Fi network by combining small ‘frames’ into a larger, aggregated frame. Each frame contains an ‘is aggregated’ flag, which indicates whether it is a complete or an aggregated frame. According to the researcher, this flag is not authenticated and can therefore be changed by a hacker.

Hackers can exploit this by allowing victims to connect to their server, for example by letting them visit their website. Then malicious parties can use specific IPv4packets to the victim, and then set the ‘is aggregated’ flag. The ability to inject such packets makes it possible to intercept a victim’s internet traffic by using its own DNS server, as Vanhoef demonstrates in a video.

In a presentation he reports that this is difficult to exploit in practice, because users have to connect to a hacker’s server, while the hacker is within radio range of the victim. The researcher also posts explanations of several other design flaws, including so-called mixed keyattacks and attacks on fragment cache. In a research paper he also goes deeper into all the different vulnerabilities.