With the so-called Fragattacks (Fragmentation and Aggregation Attacks), the security researcher Mathy Vanhoef, known for his work on Krack Attack, has again presented a series of design errors in WLAN protocols that can be exploited for attacks under certain circumstances.
Theoretically, the attacks are probably possible in the vast majority of all WLAN devices since the introduction of the underlying technology in 1997.
According to the description of the vulnerabilities, the design errors themselves are difficult to exploit in practice, as they require user interaction and can only be exploited with rarely used network settings. However, Vanhoef also writes — “In practice the biggest concern are the programming mistakes in Wi-Fi products since several of them are trivial to exploit.”
In addition, Vanhoef writes that the discovery of the vulnerabilities surprised him, as the security of WLAN was significantly improved, especially after the announcement of the Krack attacks. However, a precaution that would have prevented one of the errors is rarely used. In addition, two further gaps were found in a part of the WLAN protocol that has so far only been little investigated.
Specifically, the vulnerabilities and errors found by Vanhoef can be used to smuggle specially prepared data frames into an existing WLAN connection. Clients could be redirected to malicious DNS servers in order to record data. NAT and firewall rules could also be bypassed on routers or access points.
One of the design flaws concerns the aggregation of data frames, which is primarily intended to increase throughput. The header flag used for this is not authenticated and can be changed accordingly. This can be exploited when clients connect to a server controlled for the attack, and then manipulated packets are smuggled in.
“Virtually all devices tested were susceptible to this attack,” writes Vanhoef. This allows connections to be rerouted using DNS spoofing, for example. Although there is a standard that can be used to authenticate the header, it is hardly ever used.
The second error concerns the so-called frame fragmentation, which is used in WLAN to split large frames. Under rare conditions, this design error found by Vanhoef can be used to extract data.
The third design flaw concerns the fragmentation cache. The cache of an access point holds frames that have been divided and not yet reassembled. The attack described by Vanhoef injects further manipulated frames in order to then be able to divert the data from the cache.
Ultimately, Vanhoef lists a number of other errors among the fragattacks that can be found in the specific implementations with regard to the use of frames. In this way, frames could be smuggled into third-party connections without user interaction.
In total, the researcher tested around 75 WLAN device and platform combinations, and they were all vulnerable. However, Vanhoef is unable to say whether all WLAN devices worldwide are actually vulnerable or not. The researcher has also made tools available on Github to check the vulnerability of one’s own devices.
The Linux kernel developers have already worked together with Vanhoef to create patches that implement protective measures for the design errors of the protocol and correct numerous implementation errors.
Regarding the patches, it is also said that in the future, drivers and especially their firmware may have to be updated by the manufacturer. At Intel, the latter has already happened without directly referring to the security holes. At the beginning of March, Microsoft also fixed some of the vulnerabilities described in Windows without explicitly specifying this.