Despite being around for years, WiFi systems had some serious security flaws that recently has attracted attention. Dubbed ‘FragAttacks’, this set of vulnerabilities, upon exploit, allows an adversary to steal data by intercepting a network.
FragAttacks Vulnerabilities In WiFi Systems
Security researcher Mathy Vanhoef has elaborated on the newly discovered security flaws affecting the WiFi system.
Specifically, Vanhoef discovered three different design flaws and numerous programming flaws that threaten WiFi security. While the design flaws are hard to abuse, the programming flaws surely demand attention.
The bugs are particularly important as they affect the latest WPA3 specification as well as the oldest WEP. Thus, it seems that the vulnerabilities had existed since 1997, but remained unnoticed.
Exploiting these vulnerabilities could let an attacker achieve different malicious goals.
The first type of bugs includes injection vulnerabilities. These allow intercepting the WiFi network with malicious unencrypted frames to reroute traffic to malicious DNS servers or to bypass NAT/firewall. These include four different bugs – CVE-2020-26145, CVE-2020-26144, CVE-2020-26140, and CVE-2020-26143
Also, the researcher noticed some other implementation vulnerabilities that include forwarding handshake frames to the unauthenticated sender (CVE-2020-26139) thus allowing aggregation attacks and injecting malicious frames with no user interaction, mixing encrypted and plaintext fragments (CVE-2020-26146 and CVE-2020-26147), process fragmented frames as full frames (CVE-2020-26142). The latter affects even those routers that do not support fragmentation or aggregation.
Besides, another bug, CVE-2020-26141, also existed due to a lack of verification of TKIP MIC of fragmented frames.
This video demonstrates exploiting a few of the FragAttacks. Precisely, the video shows exploiting aggregation design flaws to steal data, exploiting IoT devices via a smart socket, and taking over target computers in a local home network by these exploits.
For now, the researcher hasn’t shared many details of the exploits to give more time to the developers to patch the bugs. The researcher has responsibly disclosed the flaws to many and believes that at least one vulnerability surely affects every modern router.
The research has shared the details of these findings in a research paper scheduled for presentation at the 30th USENIX Security Symposium, August 11–13, 2021. Whereas, he has also set up a dedicated web page with information for FragAttacks.