Despite recent improvements in Wi-Fi security, new vulnerabilities in the way most of us receive data over the internet are still being found. That was the case upon the recent discovery of “frag attacks,” which are a result of design flaws in Wi-Fi itself.
That means these issues have existed since the technology’s widespread inception around 1997, and they could have been leveraged in the time since. Technology companies have begun issuing patches for some of their products that are particularly vulnerable to frag attacks, and more vendors will continue to do so.
IT Support Guys is already dealing with this newly discovered vulnerability, ensuring our clients are safe from frag attacks. This post will explain what frag attacks are, how they can wind up in your network, and how they are being dealt with.
What is a frag attack?
A frag (fragmentation and aggregation) attack either captures traffic toward unsecured networks to then clone and impersonate servers, or opens the network by injecting plaintext frames that look like handshake messages. More simply, frag attacks trick your network devices into thinking they are doing something safe.
Three of the issues that emerged are design flaws within Wi-Fi as a protocol. The rest are programming mistakes.
Research into the vulnerabilities showed that accessing networks through these methods is even possible when Wi-Fi networks are secured using WPA2 or WPA3 encryption.
Once victims connect to the corrupted network, the attacker then injects malicious packets of data that trick the victim’s computer into using a malicious DNS server. Due to the design flaw in Wi-Fi, the victim will not be alerted to the altered packets of data that are tricking their computer.
When the victim next visits an unsecured website, the attacker’s DNS server will send them to a copy of the intended website, allowing the cybercriminal to capture keystrokes containing sensitive information like usernames and passwords.
Attackers can also inject malicious packets of data to “punch a hole” in a router’s firewall if a connected device is vulnerable, allowing the attacker to unmask IP addresses and destination ports used to access the device. With this access, attackers can take screenshots of the device, or execute programs on its interface.
Who identified the possibility of frag attacks?
This vulnerability was discovered by a researcher named Mathy Vanhoef, who also discovered the “KRACK” Wi-Fi vulnerability back in 2017. As of this post, Vanhoef is a postdoctoral researcher in computer security at New York University Abu Dhabi.
Vanhoef’s findings on frag attacks can be found in full at fragattacks.com, while his findings on KRACK attacks can be found at KRACKattacks.com. For his breakdown of frag attacks, see Vanhoef’s video below.
What routers and access points are affected by frag attacks?
Because it affects Wi-Fi itself, any devices that access Wi-Fi are vulnerable. Yes, that’s just about every device.
Older hardware without the most updated security patches is the most vulnerable to frag attacks. The older a device is, the more likely that its manufacturer has stopped issuing patches. Newer hardware that is still unpatched is similarly vulnerable.
Users should make sure to check that their devices, including routers and network equipment, are up to date with patches and firmware. For businesses with a managed services provider who provides network security services, this is probably already being handled for you. Otherwise, make sure to stay diligent about modern security protocols, like using strong passwords and staying away from websites that do not utilize HTTPS.
To ensure that your devices are updated and protected against frag attacks, check your latest firmware logs to see if they have addressed the 12 common vulnerabilities and exposures (CVE):
Design flaws in Wi-Fi standard:
- CVE-2020-24588: Requirement that the A-MSDU flag in the plaintext QoS header field is authenticated.
- CVE-2020-24587: Requirement that all fragments of a frame are encrypted under the same key.
- CVE-2020-24586: Requirement that received fragments be cleared from memory after (re)connecting to a network.
Implementation flaws of Wi-Fi standard:
- CVE-2020-26145: Acceptance of second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames.
- CVE-2020-26144: Acceptance of plaintext A-MSDU frames as long as the first 8 bytes correspond to a valid RFC1042 (i.e., LLC/SNAP) header for EAPOL.
- CVE-2020-26140: Acceptance of plaintext frames in a protected Wi-Fi network.
- CVE-2020-26143: Acceptance fragmented plaintext frames in a protected Wi-Fi network.
Other implementation flaws:
- CVE-2020-26139: Forwarding of EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP.
- CVE-2020-26146: Reassembling of fragments with non-consecutive packet numbers.
- CVE-2020-26147: Reassembling of fragments even though some of them were sent in plaintext.
- CVE-2020-26142: Treatment of fragmented frames as full frames.
- CVE-2020-26141: Verification of the Message Integrity Check (authenticity) of fragmented TKIP frames.
Are frag attacks being actively exploited?
It is hard to tell whether attackers have explicitly targeted these vulnerabilities, and there is no evidence that they have been. Contrarily, cybercriminals work tirelessly to find vulnerabilities, and issues that have been unpatched for over 20 years may have been leveraged in the past.
The good news is that Vanhoef alerted the Wi-Fi Alliance and Industry Consortium for Advancement of Security on the Internet (ICASI) before making his findings public, so tech companies could begin to patch the vulnerabilities early. The Alliance issued an update on May 11, 2021, stating that the hole is easily patched through routine device updates that enable the detection of these transmissions.
Overall, the fact that nobody made note of this vulnerability for so long makes it unlikely that someone other than Vanhoef found it first. If black-hat hackers had exploited it earlier, white-hat hackers would have figured out it was happening.
The potential exploitation of these openings is serious, but the circumstances must be perfect for a cybercriminal to capitalize. To access your network via these vulnerabilities, attackers must be in radio range and have direct interaction with a user on the network. It also requires misconfigured network settings.
How are IT support companies handling frag attacks?
Given how many devices are affected by this vulnerability, the entire technology industry is reliant on manufacturers’ updates to patch them. Vendors have been working on patches for over 9 months since Vanhoef disclosed the vulnerability.
As this is an ongoing development, ITSG is working directly with vendors to ensure that all patches are applied when released. Microsoft silently rolled out the patch that covers these vulnerabilities on March 9, 2021. Because all devices on our managed devices plan are patched as soon as possible, all managed Windows devices covered by ITSG already have the patches they need.
If you are unsure if your current ITSG plan covers patch management, book a 15-minute consult with our virtual CIO now.
If you are not yet an ITSG customer, head over to our pricing wizard to take your first step toward the swift patch management that will protect you from frag attacks, and any future vulnerabilities.