Wi-Fi Fragmentation Attack Highlights Risks of IoT Wireless

A new type of Wi-Fi attack is impacting virtually every Wi-Fi product on the planet, from the original WEP specification from 1997 to the WPA3 protocol today. These sets of vulnerabilities, known as FragAttacks (or fragmentation and aggregation attacks), stem from design flaws in the Wi-Fi standard and programming mistakes in Wi-FI products — and as a result, virtually every Wi-Fi device is impacted by at least one, if not several, FragAttack vulnerabilities. FragAttacks, themselves, range from the harmless to severe, including the ability to exfiltrate data from seemingly secure networks.

What are FragAttacks?

FragAttacks exploit design flaws in the Wi-Fi standard that allow attackers to inject plaintext “frames” into otherwise protected Wi-Fi networks. These can essentially “fool” the network, allowing an attacker to intercept traffic (for instance by tricking the client into connecting to a malicious server) or bypass security firewalls (by sending a false “handshake” that authenticates their device). Because these attacks stem from flaws in the Wi-Fi standard itself, any device connected to a network is potentially impacted.

Given the pace of wireless digital connectivity in most organizations, these attacks will give cause for some concern. While many devices in enterprise environments enjoy well-layered security (and hence some level of protection from a FragAttack), it is often unsecured devices, like IoT sensors, that pose the largest threat. For instance, it has been demonstrated that an attacker can use a FragAttack to exploit an unsecured IoT device by turning on and off a power socket remotely. Any device that has been compromised can then potentially lead to data exfiltration within the organizational network.

The LOCH Response

With 80% of IoT deployments being wireless and a large subset using traditional Wi-Fi, the FragAttacks disclosure identifies new risks with using wireless devices and increases the requirement to observe, identify and track them. At a minimum, organizations must have a live inventory of all devices operating in their environment to be able to effectively quantify the risk to the organization.

LOCH is reviewing its capabilities to identify vulnerable devices and detect attempted attacks with the AirShield product. Organizations should review their infrastructure and immediately plan upgrades to critical core systems, beginning with Wi-Fi Access Points. Doing so would eliminate the threat from many of the discovered weaknesses.

In general, the number of connected wireless devices in organizations is increasing rapidly — particularly with technologies like 5G and multi-access edge computing (MEC) now gaining widespread traction. Moreover, given that exploitable vulnerabilities like FragAttacks are now appearing in Wi-Fi, it is conceivable that they could extend to other wireless protocols and connected devices over time. As such, it is more critical than ever that organizations take stock of their wireless networks and devices, so they can proactively protect their data and assets.

FragAttack CVEs and Vendor Responses

Specific details of each weakness can be found at the disclosure site and tracked with the following CVEs.

https://github.com/vanhoefm/fragattacks/blob/master/SUMMARY.md

• CVE-2020-24586 – Not clearing fragments from memory when (re)connecting to a network
• CVE-2020-24587 – Reassembling fragments encrypted under different keys
• CVE-2020-24588 – Accepting non-SPP A-MSDU frames
• CVE-2020-26139 – Forwarding EAPOL frames even though the sender is not yet authenticated
• CVE-2020-26140 – Accepting plaintext data frames in a protected network
• CVE-2020-26141 – Not verifying the TKIP MIC of fragmented frames
• CVE-2020-26142 – Processing fragmented frames as full frames
• CVE-2020-26143 – Accepting fragmented plaintext data frames in a protected network
• CVE-2020-26144 – Accepting plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrypted network)
• CVE-2020-26145 – Accepting plaintext broadcast fragments as full frames (in an encrypted network)
• CVE-2020-26146 – Reassembling encrypted fragments with non-consecutive packet numbers
• CVE-2020-26147 – Reassembling mixed encrypted/plaintext fragments

A collection of vendor responses can be found at:

https://github.com/vanhoefm/fragattacks/blob/master/ADVISORIES.md

https://www.wi-fi.org/security-update-fragmentation

https://www.icasi.org/aggregation-fragmentation-attacks-against-wifi/

If you’d like to gain an understanding of every wireless operating in your environment and assess your level of risk for FragAttacks, sign up for a Free IoT Broad Spectrum Wireless Assessment today.