Call us today on: +44 (0)203 88 020 88
SecureTeamSecureTeamSecureTeamSecureTeam
  • Home
  • Our Services
    • Infrastructure Testing
      • Internal Network Penetration Test
      • External Network Penetration Test
      • Wireless Network Penetration Test
      • Vulnerability Assessment
      • Network Segregation Test
      • Voice over IP (VoIP) Penetration Test
    • Application Testing
      • Web Application Penetration Test
      • Mobile Application Penetration Test
      • Desktop Application Security Assessment
      • Citrix Breakout Test
    • Configuration Review
      • Windows Server Build Review
      • Linux Server Build Review
      • Citrix Configuration Review
    • Information Assurance
      • ISO 27001 Gap Analysis
    • Cyber Essentials
  • News
  • Articles
  • About
    • About SecureTeam
    • STORM Appliances
      • Installing a STORM Device
      • Returning a STORM Device
    • White-Label Consultancy
    • Jobs
    • Cookie Policy
    • Privacy Notice
    • Website Terms & Conditions
  • Contact Us

News

Home  >  News  >  Vulnerabilities  >  Wi-Fi FragAttacks expose flaws in WPA2, WPA3
NextPrevious

Wi-Fi FragAttacks expose flaws in WPA2, WPA3

News, Vulnerabilities | 19 May, 2021 | 0

Design and Implementation flaws in Wi-Fi standards have been disclosed that could leave home and enterprise Wi-Fi networks vulnerable.  The flaws are thought to affect all Wi-Fi systems from WEP through to the latest WPA3 security standard.

Source: fragattacks.com

The vulnerabilities have been named FragAttacks as they are mainly related to flaws in the way Wi-Fi fragments large data packets or aggregating small data frames into larger frames to improve performance. One interesting example is described below, and detailed in a video demonstration.

How aggregation attacks work

Wi-Fi networks combine several small frames into one large, aggregated frame in order to improve the performance of the network.  However, the flag in the header of the Wi-Fi frame which declares whether the transported payload consists of several aggregated frames is not authenticated and can be manipulated by an attacker. This can be abused by tricking a user to connecting to a server controlled by the attacker (for example to download an invisible image in an email) and the attacker can specially craft a TCP response packet that will be (mis)interpreted by the Wi-Fi firmware as an aggregated frame which will be delivered to the victim’s computer.  This injected frame could, for example, contain an ICMP router advertisement to redirect the victim to use a malicious DNS server.

Wi-Fi header can be manipulated.  Source: fragattacks.com

In order for this attack to work, the attacker must be physically close to the victim and able to create a clone of the access point which the victim’s computer can connect to.  Then as the Wi-Fi traffic flows through the cloned access point, the attacker flips the header flag of the malicious frame to cause the victim to de-aggregate the frame and process the injected malicious packet.

12 CVE have been created to track the flaws and vulnerabilities identified and they are detailed on the FragAttacks website. The CVE include design flaws in the Wi-Fi standard and several implementation flaws that leave many models of Wi-Fi access points vulnerable.  The design flaws are generally not easily exploited – as shown above, whereas the implementation flaws discovered are more easily attacked.

ICASI and the Wi-Fi Alliance have been co-ordinating a response from Wi-Fi device makers and operating system vendors to address these vulnerabilities.

 

Subscribe to our monthly cybersecurity newsletter
Stay up-to-date with the very latest cybersecurity news & technical articles delivered straight to your inbox
We hate spam as much as you do. We will never give your email address out to any third-party.
penetration testing, wireless

Related Post

  • iOS WiFi crashes with malicious hotspot name

    By Mark Faithfull

    iPhone users should beware after a bug is disclosed that can disable the WiFi system simply by connecting to a hotspot with a specially crafted name. The bug in iOS results from a poorly sanitisedRead more

  • HPE patches RCE 0day in SIM software

    By Mark Faithfull

    Hewlett Packard Enterprise has released a patch to fix a critical remote code execution vulnerability in the Windows version of their System Insight Manager. The bug in the Federated Search and CMS Configuration (CVE-2020-7200) featureRead more

  • What is a pass the hash attack?

    By Mark Faithfull

    Pass the hash is a technique used to steal credentials and enable lateral movement within a target network. In Windows networks, the challenge-response model used by NTLM security is abused to enable a malicious user toRead more

  • GDPR Fines continue to grow

    By Mark Faithfull

    Daily GDPR breach notifications are up 20% and fines are up 39% according to a new report. Law firm DLA Piper has published their third annual GDPR Fines and Data Breech Survey which reveals theRead more

  • NetLogon Security Changes coming in February

    By Mark Faithfull

    Microsoft continues to roll out changes to mitigate the Zerologon vulnerability and a change due in the February Patch Tuesday could break non-Windows device’s ability to connect to the domain. The Zerologon vulnerability is aRead more

NextPrevious

Recent Posts

  • Largest Ever DDoS Exceeds 21m requests per second
  • September Patch Tuesday fixes Critical and Zero Day vulnerabilities
  • Key lessons from the 2021 Data Breach Investigations Report
  • Critical patches released for Netgear Switches
  • Microsoft warns Office 365 targeted by zero-day RCE

Tags

Adobe Android Apple Bluetooth Chrome Cisco credential stuffing cyber crime cyber essentials cyber security cyber security news Data Protection DDoS Dell DNS Exchange Server exim fileless formjacking GDPR IoT Linux MacOS Meltdown microsoft ncsc Netgear patching penetration testing phishing ransomware RDP security breach Security operations security testing SIEM software development Spectre supply chain attacks Sysinternals Tomcat vulnerability management web applications web browsers wireless

Archives

  • September 2021
  • August 2021
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020
  • June 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • September 2019
  • August 2019
  • July 2019
  • June 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • January 2019
  • December 2018
  • November 2018
  • July 2018
  • June 2018
  • April 2018
  • January 2018
  • October 2017
BCS Cyber Essentials Cyber Essentials Cyber Essentials PLUS ISO 9001 ISO 27001
information. secured.
  • Home
  • Our Services
    • Infrastructure Testing
      • Internal Network Penetration Test
      • External Network Penetration Test
      • Wireless Network Penetration Test
      • Vulnerability Assessment
      • Network Segregation Test
      • Voice over IP (VoIP) Penetration Test
    • Application Testing
      • Web Application Penetration Test
      • Mobile Application Penetration Test
      • Desktop Application Security Assessment
      • Citrix Breakout Test
    • Configuration Review
      • Windows Server Build Review
      • Linux Server Build Review
      • Citrix Configuration Review
    • Information Assurance
      • ISO 27001 Gap Analysis
    • Cyber Essentials
  • News
  • Articles
  • About
    • About SecureTeam
    • STORM Appliances
      • Installing a STORM Device
      • Returning a STORM Device
    • White-Label Consultancy
    • Jobs
    • Cookie Policy
    • Privacy Notice
    • Website Terms & Conditions
  • Contact Us
SecureTeam