FragAttacks foil two decades of wireless security
The evolution of wireless security could at best be described as trial and error. The initial standard that debuted in the late 1990s — Wired Equivalent Privacy (WEP) — had significant security problems, and the first two version of Wireless Protected Access, WPA and WPA2, both have been found to be vulnerable to a variety of other security issues.
The trials continue with a host of so-called fragmentation attacks, or FragAttacks, that abuse the aggregation and fragmentation to allow machine-in-the-middle attacks. Details of the vulnerabilities, which have been kept secret for nine months, were disclosed at the Black Hat USA briefings on Aug. 5.
The issues occur in the way that small network packets are combined for transport, known as aggregation, or the way that large network packets are split up to improve reliability, known as aggregation. Even devices using WPA3, the latest wireless security standard, can be vulnerable, Mathy Vanhoef, a postdoctoral researcher at New York University Abu Dhabi, said during his Black Hat presentation.
“The fragmentation and aggregation functionality of Wi-Fi were never considered security-essential, so no one really looked at them,” he said, adding: “This really shows that all implementations are vulnerable — even, surprisingly, those that don’t support fragmentation and those that don’t support aggregation.”
The vulnerabilities — which Vanhoef described as design flaws in the IEEE 802.11 standard, more commonly known as Wi-Fi — were described in a paper released in June. The issues allow a local attacker who has fooled a victim into connecting to an attacker-controlled server to then insert themselves into the Wi-Fi network as a machine in the middle.
Vanhoef characterized these as design flaws because the specific mitigations are optional and not required, a lesson for future implementers of the standard.
“We should adopt defenses early, even if the concerns are theoretic, because that, for example, would have prevented the aggregation design flaw,” he said. In addition, testing the software should be part of the credentialing process for vendors’ devices, he added. “We should keep fuzzing devices; … the Wi-Fi Alliance could fuzz devices while they are being certified.”
Vanhoef discovered three design flaws in the current Wi-Fi standard. The first, CVE-2020-24588, allows an attacker to abuse the way that Wi-Fi aggregates smaller data packets into larger frames to optimize wireless data rates. The researcher used the attack to send victims on the local Wi-Fi network to an attacker-controlled domain name service (DNS) server, and then onto malicious website.