All WiFi devices likely impacted by FragAttacks

We are increasingly dependent on WiFi networks for our communications, both for our personal devices and the growing number of smart devices in our homes. Because this communication is done over the air, the security of those transmissions is crucial.

Security researcher Mathy Vanhoef is one of many who have been poring over WiFi for years looking for those hidden imperfections that could be exploited to enter our networks, steal data, and take control of our stuff.

His newest paper exposes a series of problems with how WiFi devices process fragmented frames which can allow attackers in, even bypassing the firewalls on our routers. Thankfully these attackers are not easy to use at scale, largely because the attacker has to be in range of your WiFi network to use them.

The paper is being released after a 9 month embargo to allow vendors to patch their products, and larger companies such as Microsoft and Cisco have done just that. The bigger problem will lie with the many low cost IoT products that are often abandoned by their makers shortly after sale and will never be updated.

What is Fragmentation?

First, let’s look at the network functions that are impacted by these findings.

WiFi networks sit below the level of IP addresses and packets, and instead use data blocks called Frames. Frames are similar to packets in that they contain the data payload that is to be sent, and some meta data that defines some attributes of the frame and where it’s going.

Frame Aggregation is used to combine smaller frames into larger ones when possible to improve network speed. This cuts down on overhead by reducing the amount of meta data being sent as that meta data is the same size for every frame.

Frame Fragmentation is used to improve network reliability by splitting large frames into smaller ones where re-sending frames may be required due to low signal or congestion.

These features necessitate code in the WiFi implementation on each device to handle splitting and combining frames, and that code is where the problems are.

What kinds of issues are there?

There are a number of implementation issues, which are basically bugs introduced by the device maker in their software that can be exploited. Additionally, there are three design flaws in the WiFi standard that remain even in the latest WPA3 security protocol.

There is an aggregation attack, which can allow injection of packets by fooling the recipient into thinking the bogus data is aggregated with other frames.

A mixed key attack takes advantage of the standard’s failure to require aggregation of frames only when they are encrypted with the same key. By allowing mixed keys to be combined, an attacker can insert packets into frames with an incorrect key.

Finally, a cache attack allows an attacker to inject a fragment into an access point’s cache such that it will be combined with other fragments when a client reconnects.

Outside of these design flaws are a number of issues caused by implementations mixing encrypted and unencrypted fragments, not checking fragments belong to the same frame, or assuming combined frames are valid when they may contain unrelated data.

What can we do?

First and foremost is the usual mitigation of ensuring all your devices are updated regularly. Major brand products are generally covered reasonably well, and this is a part of why they may cost more. Cheap mass market, no-name IoT devices likely won’t get anything, as they are churned out for a quick buck and abandoned.

Having your router up to date will provide some defense, but even here many low end consumer brands don’t do this well. For these kinds of devices there isn’t much we can do on the device side.

You can, however, protect you data from being stolen by ensuring all your online activity is secured by HTTPS (the padlock in your browser’s address bar). Most mobile apps also use HTTPS in their communication, but it’s hard to tell as there is no clear indication available for end users.

All of the identified design flaws can be fixed, but this will take time. Major players are being proactive, but other devices won’t be improved until the standard is updated to mandate those changes.

For the more technically inclined, Vanhoef suggests some additional mitigations, “More technically, the impact of attacks can also be reduced by manually configuring your DNS server so that it cannot be poisoned. Specific to your Wi-Fi configuration, you can mitigate attacks (but not fully prevent them) by disabling fragmentation, disabling pairwise rekeys, and disabling dynamic fragmentation in Wi-Fi 6 (802.11ax) devices.”