“FragAttacks could allow hackers within a device’s WiFi radio range and introduce malware to compromise intelligent devices.”
In October 2017, researchers published work on a new attack against WiFi encryption. They discovered severe weaknesses within WPA2, which protects all modern protected WiFi networks. These weaknesses could be exploited using Key Reinstallation Attacks or KRACKs. This would enable attackers to read and abuse information previously assumed to be safely encrypted, such as credit card information, passwords, photographs and emails, to name a few. The weaknesses were in the WiFi standard itself and not in select models or products, making any correct form of WPA2 vulnerable to KRACKs. The research found Android, Apple, Linux, and Windows—all affected by some variant of the attacks.
In May 2021, Mathy Vanhoef, one of the researchers in the KRACK paper, found a collection of other flaws within our increasingly used WiFi protocols. The group comes under the term ‘FragAttacks’ (a mashup of ‘fragmentation’ and ‘aggregation’) and primarily relates to WiFi’s handling of data, vast amounts of it.
FragAttacks could allow hackers within a device’s WiFi radio range to gather information about its owner and introduce malware to compromise intelligent devices such as computers or smartphones—even those protected by standard WiFi security protocol such as WEP WPA2 or WPA3. Since the WEP was first implemented in 1997, these vulnerabilities have most likely been around for 24 years. Three of these vulnerabilities have to do with design flaws in the WiFi standard itself, while others have to do with how manufacturers of devices implement WiFi.
Sign up for your weekly dose of what's up in emerging technology.
As per Vanhoef, these vulnerabilities surprise many due to the substantial improvements in WiFi security. For one, the defences against KRACK were proven entirely secure. This—coupled with the latest WPA3 security—which also went through improvements—made WiFI much safer than before. However, features that were not adopted into practice and parts of WiFi that were not widely studied earlier led to newly discovered design flaws.
FragAttacks comprise 12 different types of vulnerabilities, all of which work in different ways. Each of these has been assigned a Common Vulnerabilities and Exposures (CVE) identifier, which one can find in more detail on GitHub. These vulnerabilities are divided into two major categories: Design Flaws and Implementation Vulnerabilities. Design Flaws are flaws within the WiFi standard itself. These are found in most devices but are difficult to attack due to them requiring user interaction or unique network settings. Implementation vulnerabilities, however, are easier to attack.
Download our Mobile App
- CVE-2020-24588: aggregation attack—includes accepting non-SPP A-MSDU frames. This can be abused to intercept sensitive private information from users, such as their username and password.
- CVE-2020-24587: mixed key attack, which could reassemble fragments encrypted under different keys.
- CVE-2020-24586: fragment cache attack, which involves not clearing fragments from memory when (re)connecting to a network.
WiFi standard Implementation Vulnerabilities:
- CVE-2020-26145: Accepting plaintext broadcast fragments as full frames (in an encrypted network).
- CVE-2020-26144: Accepting plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrypted network).
- CVE-2020-26140: Accepting plaintext data frames in a protected network.
- CVE-2020-26143: Accepting fragmented plaintext data frames in a protected network.
Other Implementation Flaws:
- CVE-2020-26139: Forwarding EAPOL frames even though the sender is not authenticated (should only affect APs).
- CVE-2020-26146: Reassembling encrypted fragments with non-consecutive packet numbers.
- CVE-2020-26147: Reassembling mixed encrypted/plaintext fragments.
- CVE-2020-26142: Processing fragmented frames as full frames.
- CVE-2020-26141: Not verifying the TKIP MIC of fragmented frames.
The vulnerabilities mentioned above can all be abused by hackers. In a test conducted on 75 devices, all of them were susceptible to these vulnerabilities. It then makes sense to see how hackers could exploit them.
The video shows us that the WiFi flaws can be abused to either steal personal data or attack devices connected to the victim’s home network. The former of these can be seen in the first example shown in the video. This example shows an attack on a design flaw enabling the hacker to set up a fraudulent website replicating the NYU website. This made the hacker privy to the victim’s username and password. The second type of attack is among the most significant risks associated with FragAttacks. Many smart home devices and IoT devices are rarely updated. This makes a secure WiFi connection the only defence provided by them. However, due to implementation vulnerabilities, this defence is not as strong as the user might like. The video displayed this by controlling over a smart power plug and taking over an outdated Windows 7 machine. Vanhoef informed the WiFi Alliance about these vulnerabilities to be corrected before being disclosed to the public. He also says that he is not specifically aware of the vulnerabilities being exploited ‘in the wild’, but it would still make more sense for people to secure themselves.
As the world gets more connected, malicious users will find a way to get to the commoner. This is the reason why the experts recommend applying security patches to correct these weaknesses and mitigate their threat. Many vendors have already released patches for some of their products, including Linux Wireless, Samsung and Lenovo. Finally, updating devices and the WiFi infrastructure used by them can help install updates and patches to strengthen them against possible attacks.
These vulnerabilities can prove to be rather scary on a privacy front, especially considering the vast amount of data we transmit and process via WiFi networks. Taking vital steps such as using strong and unique passwords, not visiting unsecured websites, always using HTTPS, updating and using patches can help make things less frightening.