FragAttacks – What do we need to do about it?

After KRACK (2017) and Dragonblood (2019), Mathy VanHoef found a new set of Wi-Fi vulnerabilities. The findings have been publicly released on May 11th, 2021 under the following name: FragAttacks.

The goal of this article is to summarize the scope of these vulnerabilities and give you indications on what you should do in order to protect your Wi-Fi networks.

FragAttacks (Fragmentation and aggregation attacks) present a set of security vulnerabilities that affect Wi-Fi devices. A set of 12 CVEs have been announced by the ICASI (Industry Consortium for Advancement of Security on the Internet).

The vulnerabilities are exploiting the frame aggregation feature of Wi-Fi. They take advantage of how Wi-Fi devices receive, store and process fragments.

Some of these vulnerabilities are related to design flaws which have been part of the Wi-Fi protocols since its creation (1997):

• Aggregation attack: the “is aggregated” flag of the 802.11 header can be modified in order to inject arbitrary network packets and send unintended data to a victim. This flaw can be fixed by authenticating the “is aggregated” flag.
• Mixed key attack: different fragments could be reassembled even if they were decrypted using different keys. This could be to use exfiltrate data in rare conditions. Risk is low and it can be fixed by forcing the receiver to only reassemble fragments that have been decrypted using the same key.
• Fragment cache attack: Wi-Fi devices are not required to clear non-reassembled fragment from memory. This could be exploited by injecting fragments into the memory of the AP. When the victim then connects to the AP and start sending fragmented frames, the injected fragment will be added. This flaw can be fixed by removing fragments from memory whenever devices disconnect and connect to an AP.

The rest of the vulnerabilities are implementation vulnerabilities and can be subjects to injection attacks as well.

In this video, Mathy Vanhoef goes through his findings. It is a very good summary to watch if you have 12mins!

In order to exploit these vulnerabilities, an adversary would have to be in range of the victim’s Wi-Fi network and launch man-in-the-middle attacks. This allows us, the network operators, to put in place some mechanisms that can help us mitigate the risks.

Here is what you can do in order to mitigate the risks and prevent malicious activity against your Wi-Fi networks:

• Patch all of your Wi-Fi devices. This includes both access points and client devices. Contact the vendors to retrieve patches and know when patches will be released.
• Educate your users. Most attacks could be spotted by the users if the users are educated on IT security. It can be important to educate your users and introduce them to social engineering and phishing attacks.
• Implement a WIDS. A Wireless Intrusion Detection System can help us detect Rogue and honeypot access points that an attacker could use to perform a man-in-the-middle attack. Most vendors have similar systems available. The key is to configure the WIDS properly so it doesn’t provide false positives and alerts when needed.
• Use 802.11w (when possible). 802.11w or Management Frame Protection allows some management frames to be protected. This protects the Wi-Fi network against an attacker that would want to disconnect Wi-Fi clients in order to start a man-in-the-middle attack.
• Use 802.1X authentication (when possible). WPA2-Enterprise of WPA3-Enterprise can be used to perform 802.1X authentication. Some of the popular EAP methods (EAP-PEAP and EAP-TLS) allow us to perform mutual authentication between the client and the server which minimize the possibility for man-in-the-middle attacks.

So at this point, it is important to be aware of these vulnerabilities and take action against them to protect your Wi-Fi network as much as possible.

The risk of these vulnerabilities will stay very low if you patch your Wi-Fi devices as it would be very complex to exploit them.

We have listed an extensive list of links that you can use to get additional information. We will try to keep it up to date.

Official documents:

• Official FragAttacks website: https://www.fragattacks.com/
• FragAttacks overview: https://papers.mathyvanhoef.com/fragattacks-overview.pdf
• ICASI Announcement: https://www.icasi.org/aggregation-fragmentation-attacks-against-wifi/
• FragAttacks Demo video: https://www.youtube.com/watch?v=88YZ4061tYw
• FragAttacks Presentation at USENIX Security by Mathy Vanhoef: https://www.youtube.com/watch?v=OJ9nFeuitIU
• FragAttacks tools on Mathy Vanhoef GitHub: https://github.com/vanhoefm/fragattacks

Vendor security advisories:

• Juniper / Mist: https://kb.juniper.net/JSA11170 & https://www.mist.com/documentation/mist-security-advisory-fragattacks-and-faq
• Cisco & Meraki: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wifi-faf-22epcEWu
• HPE Aruba: https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2021-011.txt
• Commscope / Ruckus: https://www.commscope.com/fragattacks-commscope-ruckus-resource-center/ & https://support.ruckuswireless.com/fragattacks-ruckus-technical-support-response-center
• Wi-Fi Alliance: https://www.wi-fi.org/security-update-fragmentation
• Sierra Wireless: https://source.sierrawireless.com/resources/security-bulletins/sierra-wireless-technical-bulletin—swi-psa-2021-003
• Microsoft: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-24587 & https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-24588 & https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-26144

Other resources:

• Jim Palmers blog post: https://jimswirelessworld.wordpress.com/2021/05/11/fragattacks-just-reinforces-the-it-depends-complexity-of-wi-fi/
• Clear To Send Podcast episode 263: https://cleartosend.net/263
• FragAttacks – What you need to know from Packet 6: https://packet6.com/fragattacks-what-you-need-to-know/
• CommScope RUCKUS FragAttack video: https://www.youtube.com/watch?v=nfz6v2NsS2Y