FragAttacks: All Wi-Fi Devices back to 1997 are Vulnerable

Vulnerabilities allow an attacker within range of a Wi-Fi device to collect information about the owner and run malicious code.

Belgian security researcher Mathy Vanhoef has discovered a series of vulnerabilities in the Wi-Fi standard. Some have been present since 1997 and affect all devices released in the last 24 years.

The vulnerabilities, dubbed Frag Attacks, allow an attacker within range of a Wi-Fi device to collect information about the owner of the device and run malicious code in order to compromise a computer, smartphone, or any other smart device. Devices remain vulnerable even with WEP and WPA security standards enabled.

Three out of twelve vulnerabilities are design flaws and therefore affect most devices. The rest of the vulnerabilities exist due to common programming errors made during the implementation of the Wi-Fi standard. Each device has at least one Frag Attacks vulnerability, but most devices have several.

The researcher announced his discovery of the WiFi Alliance, and over the past nine months, the organization has been working on adjusting its standards and guidelines, and has also worked with electronics manufacturers to prepare patches for the firmware.

WiFi standard design flaws:

  • CVE-2020-24588: aggregation attack (accepting non-SPP A-MSDU frames).
  • CVE-2020-24587: mixed key attack (reassembling fragments encrypted under different keys).
  • CVE-2020-24586: fragment cache attack (not clearing fragments from memory when (re)connecting to a network).

WiFi standard implementation flaws:

  • CVE-2020-26145: Accepting plaintext broadcast fragments as full frames (in an encrypted network).
  • CVE-2020-26144: Accepting plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrypted network).
  • CVE-2020-26140: Accepting plaintext data frames in a protected network.
  • CVE-2020-26143: Accepting fragmented plaintext data frames in a protected network.

Other implementation flaws:

  • CVE-2020-26139: Forwarding EAPOL frames even though the sender is not yet authenticated (should only affect APs).
  • CVE-2020-26146: Reassembling encrypted fragments with non-consecutive packet numbers.
  • CVE-2020-26147: Reassembling mixed encrypted/plaintext fragments.
  • CVE-2020-26142: Processing fragmented frames as full frames.
  • CVE-2020-26141: Not verifying the TKIP MIC of fragmented frames.
Exploiting vulnerabilities is not easy, Vanhof said. Some of them require user interaction, which means they cannot be used to carry out massive or worm-like attacks. However, they can be useful in targeted or spy operations. The video below shows the exploitation of vulnerabilities.

As for the technical side, a research paper is also available [PDF]. According to Vanhoef, the core issue at the heart of the Frag Attacks is how the WiFi standard breaks and then reassembles network packets, allowing threat actors to introduce their own malicious code into legitimate content during this operation.

A demo of a Frag Attack is available below, with a step-by-step explanation from Vanhoef himself.