Design and Implementation flaws in Wi-Fi standards have been disclosed that could leave home and enterprise Wi-Fi networks vulnerable. The flaws are thought to affect all Wi-Fi systems from WEP through to the latest WPA3 security standard.
The vulnerabilities have been named FragAttacks as they are mainly related to flaws in the way Wi-Fi fragments large data packets or aggregating small data frames into larger frames to improve performance. One interesting example is described below, and detailed in a video demonstration.
How aggregation attacks work
Wi-Fi networks combine several small frames into one large, aggregated frame in order to improve the performance of the network. However, the flag in the header of the Wi-Fi frame which declares whether the transported payload consists of several aggregated frames is not authenticated and can be manipulated by an attacker. This can be abused by tricking a user to connecting to a server controlled by the attacker (for example to download an invisible image in an email) and the attacker can specially craft a TCP response packet that will be (mis)interpreted by the Wi-Fi firmware as an aggregated frame which will be delivered to the victim’s computer. This injected frame could, for example, contain an ICMP router advertisement to redirect the victim to use a malicious DNS server.
In order for this attack to work, the attacker must be physically close to the victim and able to create a clone of the access point which the victim’s computer can connect to. Then as the Wi-Fi traffic flows through the cloned access point, the attacker flips the header flag of the malicious frame to cause the victim to de-aggregate the frame and process the injected malicious packet.
12 CVE have been created to track the flaws and vulnerabilities identified and they are detailed on the FragAttacks website. The CVE include design flaws in the Wi-Fi standard and several implementation flaws that leave many models of Wi-Fi access points vulnerable. The design flaws are generally not easily exploited – as shown above, whereas the implementation flaws discovered are more easily attacked.
ICASI and the Wi-Fi Alliance have been co-ordinating a response from Wi-Fi device makers and operating system vendors to address these vulnerabilities.