A researcher this week disclosed the details of a dozen design and implementation flaws that could affect all devices with Wi-Fi capabilities, exposing their users to remote attacks.
The vulnerabilities, dubbed FragAttacks (fragmentation and aggregation attacks), were discovered by researcher Mathy Vanhoef, who was also involved in the discovery of the Key Reinstallation Attack (KRACK) vulnerabilities back in 2017.
FragAttacks can be leveraged by an attacker who is within range of the targeted Wi-Fi connection to hack devices and steal sensitive user information.
The vulnerabilities appear to impact all Wi-Fi security protocols, including WEP — this means some of the flaws have been around since 1997 — and the latest WPA3. Vanhoef said all of the more than 75 tested Wi-Fi devices were affected by at least one of the FragAttacks issues, but most of these products were impacted by multiple vulnerabilities.
Tested devices include mobile products from Huawei, Google, Samsung and Apple; computers from Dell, Apple and MSI; Xiaomi and Canon IoT devices; Asus, Linksys and D-Link routers; and Aruba, Lancom and Cisco access points.
A dozen CVE identifiers have been assigned to FragAttacks, including three CVEs for design flaws related to aggregation, mixed key and fragment cache attacks; four CVEs for implementation issues that can be exploited to inject plaintext frames into protected Wi-Fi networks; and five CVEs for various other implementation flaws.
The researcher said the design flaws are more difficult to exploit as they typically require user interaction or uncommon network settings. However, the implementation flaws are easier to leverage in attacks.
Vanhoef has shown how an attacker could use the FragAttacks design flaws to redirect the targeted user to a malicious website. However, this attack requires setting up a malicious server and a rogue Wi-Fi connection mimicking the victim’s connection, as well as user interaction (e.g. opening an email).
Vanhoef also demonstrated how some of the implementation flaws can be exploited to take control of smart devices on the targeted network, bypass a home router firewall and gain remote access to the local network, steal a user’s information, and spy on them.
“The biggest risk in practice is likely the ability to abuse the discovered flaws to attack devices in someone’s home network. For instance, many smart home and internet-of-things devices are rarely updated, and Wi-Fi security is the last line of defense that prevents someone from attacking these devices. Unfortunately, due to the discovered vulnerabilities, this last line of defense can now be bypassed,” Vanhoef explained.
Some of the affected vendors have been notified and given 9 months to release patches. The researcher specifically mentioned patches being released by Microsoft (in March) and Linux kernel developers. Mitigations are also available for some of the vulnerabilities.
Vanhoef has set up a dedicated website for FragAttacks and also released a detailed research paper, a video showing how the vulnerabilities can be exploited in real-world attacks, and an open source tool that can be used to determine if Wi-Fi clients and access points are affected by the flaws.