A Belgian security researcher discovered several Wi-Fi security vulnerabilities affecting the Wi-Fi standard itself and subsequently “affect most devices” in the market.
Additionally, he discovered other related vulnerabilities originating from design flaws, such as “widespread programming mistakes.” The vulnerabilities dubbed “FragAttacks,” an acronym for “fragmentation and aggregation attacks,” affect devices released since 1997.
When exploited, they could allow hackers to execute malicious code, intercept information, hijack the affected devices, or become launchpads for more sophisticated attacks.
Every Wi-Fi product has at least one security vulnerability
Mathy Vanhoef, the security researcher who discovered the FragAttacks Wi-Fi security vulnerabilities noted that every Wi-Fi product is affected by at least one of the flaws. Similarly, most products are affected by several FragAttacks Wi-Fi vulnerabilities.
His research also discovered that the Wi-Fi security vulnerabilities affect all modern Wi-Fi security protocols, including the oldest WEP specification and the most recent WPA3 specification.
Wi-Fi security vulnerabilities allow attackers to flip smart switches
Some attack scenarios include intercepting users’ authentication credentials and flipping a smart power socket. Attackers could also exploit the vulnerabilities as a “stepping stone to launch advanced attacks.”
Vanhoef, however, noted that attackers had not exploited the FragAttacks Wi-Fi security vulnerabilities in the wild.
He explained that the Wi-Fi security vulnerabilities are difficult to exploit because the attackers must be within the radio range of the victim network. Additionally, they also require user interaction or “uncommon network settings” thus unsuited for large-scale attacks.
“As a result, in practice, the biggest concern are the programming mistakes in Wi-Fi products since several of them are trivial to exploit,” the report states.
Details of Wi-Fi security vulnerabilities
Vanhoef found that the plaintext injection vulnerabilities could allow an attacker to inject an unencrypted Wi-Fi frame and hijack the victim’s traffic through a malicious DNS server.
They could also bypass the NAT or firewall to target devices connected to the victim’s home network. This vulnerability affected 50% of routers tested, several IoT devices, and some smartphones.
The Wi-Fi security vulnerability is also easy to exploit for three reasons. Firstly, some Wi-Fi devices “accept any unencrypted frame even when connected to a protected Wi-Fi network” and secondly, others “accept plaintext aggregated frames that look like handshake messages.”
Lastly, other Wi-Fi devices and systems, including the open-source OpenBSD kernel, process broadcasted fragments as normal unfragmented frames and “accept broadcast fragments even when sent unencrypted.”
Wi-Fi security vulnerabilities exploit design flaws in the frame aggregation and fragmentation features.
Wi-Fi’s frame aggregation feature increases the network’s speed and throughput by combining smaller frames. An aggregated frame contains an “is aggregated” flag frame. This frame is not authenticated and can be modified by an attacker.
“An adversary can abuse this to inject arbitrary network packets by tricking the victim into connecting to their server and then setting the ‘is aggregated’ flag of carefully selected packets,” the report explained.
A threat actor could also exploit the design flaw in the Wi-Fi’s frame fragmentation feature to execute a mixed key attack. The fragmentation functionality helps increase the reliability of a frame by splitting larger frames into smaller ones.
Smaller frames from the same block are encrypted using the same key. However, receivers do not check these keys and can reassemble fragments decrypted with different keys. This “theoretical” Wi-Fi security vulnerability allows attackers to exfiltrate data from the victims.
The fragment cache attack design flaw exists because Wi-Fi devices disconnected from the network retain non-reassembled fragments in their memory. An attacker could exploit this vulnerability by injecting a malicious fragment in the memory of the access point.
“This can be abused against hotspot-like networks such as eduroam and govroam and against enterprise networks where users distrust each other. In those cases, selected data sent by the victim can be exfiltrated.”
When the victim reconnects to the hotspot or access point and sends fragmented frames, the frames are combined with the malicious frame.
Mitigating Wi-Fi security vulnerabilities
While the research found these flaws difficult to exploit, they could be used for targeted attacks against specific organizations without the necessary mitigations.
Users can mitigate FragAttacks by applying updates released under supervision from the Wi-Fi Alliance and ICASI.
They could also mitigate the security risk by only visiting websites secured with the SSL certificate. Although an attacker could still intercept such traffic, there is an added layer of encryption for the attackers to defeat.