Almost all Wi-Fi is potentially vulnerable to flaws that date back to 1997 when it became commercially available, but even the person who discovered the weaknesses says some of them are difficult to exploit.
Mathy Vanhoef, a post-doctoral student at NYU Abu Dhabi, has created attacks—FragAttacks—that take advantage of the vulnerabilities, but in an academic paper about them, says the most widespread vulnerabilities can be exploited only under specific, rare conditions, and require either user interaction or highly unusual configurations to succeed.
Other vulnerabilities—what he calls programming mistakes made by vendors in their Wi-Fi products—are easily exploited.
Vanhoef’s website about FragAttacks says his exploits can enable attackers within radio range to steal user information or attack devices on users networks. The flaws fall into two categories: Those in the Wi-Fi standard itself, and therefore affecting most devices, and those caused by widespread programming mistakes in individual Wi-Fi-product implementations.
Among major Wi-Fi vendors, only Aruba/HPE and Huawei have publicly acknowledged the disclosure of the FragAttack flaws. Aruba issued a statement saying that its access points contained the flaws, but that it updated its software prior to this week’s disclosure of them, and provided a document detailing which APs have been patched.
Huawei stated that it has “launched an immediate investigation,” and pledged to provide public updates when it has more information to share. Cisco and Ubiquiti declined to provide public comment as of Friday afternoon.
Vanhoef is issuing his report after nine months of disclosure with Wi-Fi vendors to enable them to fix the problems. A tool to check whether equipment is vulnerable to these flaws is available here for free.
The three most wide-ranging and serious flaws can allow attackers to inject malicious frames into a protected Wi-Fi network. This could allow an attacker to trick a client device into using a malicious DNS server or to force traffic through a router, bypassing NAT and firewalls. The weaknesses affect products made by nearly all of the major manufacturers.
“Fortunately, the [Wi-Fi-standard] design flaws are hard to abuse because doing so requires user interaction or is only possible when using uncommon network settings,” according to Vanhoef’s site. “As a result, in practice the biggest concern are the programming mistakes in Wi-Fi products since several of them are trivial to exploit.”
The most exploits work because of vulnerabilities in the way Wi-Fi handles frame fragmentation and frame aggregation, according to Vanhoef.
Frame aggregation is designed to make network connections faster by combining smaller frames into a larger one, using a system of flags that tells devices whether a given frame is a single frame or an aggregated one. The problem is that the “aggregated” flag is not authenticated on both ends of the connection and can be spoofed by a bad actor.
Fragmentation does the opposite, splitting larger frames into smaller ones for increased reliability. The flaw is that receiving devices aren’t required to check whether all parts of a split frame have been encrypted using the same keys, meaning that an attacker could steal data from a network by mixing up different fragments.
The other vulnerabilities identified by Vanhoef include aspects of Wi-Fi’s WPA security protocols that don’t do enough by default to authenticate and match up all parts of a message, leaving openings that could be used to compromise networks and steal data.
Forrester analyst Andre Kindness said the chances of these flaws being exploited in the wild seem remote at best.
“Is it something that would keep me up at night? Heck no,” Kindness said. “It’s like an Oceans 11 or Mission: Impossible scenario—you’d have to know what someone has. You’d have to encounter the perfect scenario where someone didn’t do something right in the firmware for the device or AP, and you’d have to be in radio distance.”
Kindness said that enterprise users should simply ensure all their patching is up-to-date, use the scanning tool, and proceed from there if they discover flaws.
Vanhoef is scheduled to present a talk on FragAttack at the USENIX Security Symposium, scheduled as a virtual event August 11–13.