In the latest security developments, a security researcher has found numerous Frag attacks vulnerabilities in the WiFi Standard, some of which date back to as old as 1996 impacting the wireless routers.

Mathy Vanhoef is a Belgian security researcher who found these decades-old and previously undetected security flaws and released them in his study titled “Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation.”

Frag attacks and critical implications:

To the unaware, Frag attacks facilitate malicious entities to poach the user data of the owner of the WiFi device that they are in the range of, and deliver malicious code on the compromised device.

Since the invention of wireless networking in 1997, a dozen vulnerabilities have been discovered that affect all Wi-Fi security protocols, from WEP to WPA3.

Detailing some vulnerabilities within the WiFi devices, the published report of Vanhoef states that one of the design flaws exists in the frame aggregation functionality while two other flaws exist in the frame fragmentation functionality.

“These design flaws allow an adversary to forge encrypted frames in a variety of ways, allowing sensitive data to be exfiltrated,” he notes

It was also provided that both, frame aggregation, which is responsible for combining network data frames, and frame fragmentation, which is responsible for dividing network data frames into smaller pieces, contains security flaws that enhance the efficiency of probable cyberattacks.

Also read,

The 802.11 frame aggregation flaw is plausible in a scenario when an unauthenticated flag in a frame header is flipped, thereby allowing the encrypted data payload to be parsed as multiple aggregated frames as opposed to a single network packet.

“We exploit this to inject arbitrary frames into a victim’s traffic and then intercept it by forcing it to use a malicious DNS server,” the paper notes.

As a result of these extensive vulnerability findings, dating back decades, it was concluded that almost all of the WiFi devices that were tested were compromised in the Frag attacks. 

Multitude of WiFi devices vulnerable to Frag attacks:

A total of 75 devices were tested for the implications of the Frag attacks, of which, each device was with a different network card and OS like Windows, Linux, Android, macOS, and iOS. 

All of them were found to be vulnerable to one or more of the tested attacks.

Since they do not support the reception of A-MSDUs, NetBSD and OpenBSD were unaffected.

As a result, the ICASI i.e Industry Consortium for Advancement of Security on the Internet and WiFi Alliance worked in coordination to oversee responsible disclosing and deploy patches for several affected devices and software.

Brief of Flaws:

Wi-Fi Standard Design Flaws:

  • CVE-2020-24588: aggregation attack (accepting non-SPP A-MSDU frames).
  • CVE-2020-24587: mixed key attack (reassembling fragments encrypted under different keys).
  • CVE-2020-24586: fragment cache attack (not clearing fragments from memory when (re)connecting to a network).

WiFi Standard Implementation Flaws:

  • CVE-2020-26145: Accepting plaintext broadcast fragments as full frames (in an encrypted network).
  • CVE-2020-26144: Accepting plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrypted network).
  • CVE-2020-26140: Accepting plaintext data frames in a protected network.
  • CVE-2020-26143: Accepting fragmented plaintext data frames in a protected network.

Other Implementation Flaws:

  • CVE-2020-26139: Forwarding EAPOL frames even though the sender is not yet authenticated (should only affect APs).
  • CVE-2020-26146: Reassembling encrypted fragments with non-consecutive packet numbers.
  • CVE-2020-26147: Reassembling mixed encrypted/plaintext fragments.
  • CVE-2020-26142: Processing fragmented frames as full frames.
  • CVE-2020-26141: Not verifying the TKIP MIC of fragmented frames