FragAttacks : Demonstration of Flaws in WPA2/3

[upnorth]

This is not a "hacking" tutorial but a demonstration about academic IT security research. Made by Mathy Vanhoef of New York University and KU Leuven. The tools shown are not public.

FragAttacks (fragmentation and aggregation attacks) which is a collection of new security vulnerabilities that affect Wi-Fi devices. An adversary that is within radio range of a victim can abuse these vulnerabilities to steal user information or attack devices. Three of the discovered vulnerabilities are design flaws in the Wi-Fi standard and therefore affect most devices. On top of this, several other vulnerabilities were discovered that are caused by widespread programming mistakes in Wi-Fi products. Experiments indicate that every Wi-Fi product is affected by at least one vulnerability and that most products are affected by several vulnerabilities.

The discovered vulnerabilities affect all modern security protocols of Wi-Fi, including the latest WPA3 specification. Even the original security protocol of Wi-Fi, called WEP, is affected. This means that several of the newly discovered design flaws have been part of Wi-Fi since its release in 1997! Fortunately, the design flaws are hard to abuse because doing so requires user interaction or is only possible when using uncommon network settings. As a result, in practice the biggest concern are the programming mistakes in Wi-Fi products since several of them are trivial to exploit.

To protect users, security updates were prepared during a 9-month-long coordinated disclosure that was supervised by the Wi-Fi Alliance and ICASI. If updates for your device are not yet available, you can mitigate some attacks (but not all) by assuring that websites use HTTPS and by assuring that your devices received all other available updates. The research will be presented at the USENIX Security conference and a longer talk with more background will also be given at Black Hat USA this summer.

The Wi-Fi flaws can also be abused to exfiltrate transmitted data. The demo shows how this can be abused to learn the username and password of the victim when they use the NYU website. However, when a website is configured with HSTS to always use HTTPS as an extra layer of security, which nowadays close to 20% of websites are, the transmitted data cannot be stolen. Additionally, several browsers now warn the user when HTTPS is not being used. Finally, although not always perfect, recent mobile apps by default use HTTPS and therefore also use this extra protection.

FragAttacks: Security flaws in all Wi-Fi devices

We present three security design flaws in Wi-Fi and widepread implementation flaws. These can be abused to exfiltrate user data and attack local devices.

www.fragattacks.com

The pre-recorded presentation made for USENIX Security can already be viewed online. Note that the target audience of this presentation are academics and IT professionals:

A tool was made that can test if clients or APs are affected by the discovered design and implementations flaws. It can test home networks and enterprise networks where authentication is done using, e.g., PEAP-MSCHAPv2 or EAP-TLS. The tool supports over 45 test cases and requires modified drivers in order to reliable test for the discovered vulnerabilities. Without modified drivers, one may wrongly conclude that a device is not affected while in reality it is.

A live USB image is also available. This image contains pre-installed modified drivers, modified firmware for certain Atheros USB dongles, and a pre-configured Python environment for the tool. Using a live image is useful when you cannot install the modified drivers natively (and using a virtual machine can be unreliable for some network cards).

Q&A
Will using a VPN prevent attacks?
Using a VPN can prevent attacks where an adversary is trying to exfiltrate data. It will not prevent an adversary from bypassing your router's NAT/firewall to directly attack devices.

 

[ForgottenSeer 85179]

My router (AVM Fritzbox 7590) is since last week already protected against "FragAttacks"

 

[Gandalf_The_Grey]

Well, there is some hope for me:
(Translated form Dutch)

Ziggo must offer free choice of modem by the end of this month
VodafoneZiggo customers may use their own modem from at least the end of this month. The Disputes Committee has determined that the provider must facilitate this, following a complaint from a user.

Ziggo moet van Geschillencommissie eind deze maand vrije modemkeuze aanbieden

Klanten van VodafoneZiggo mogen vanaf in ieder geval eind deze maand hun eigen modem gebruiken. De Geschillencommissie heeft bepaald dat de provider dat moet faciliteren, na een klacht van een gebruiker.

tweakers.net

If possible, I would like to get a FRITZ!Box 6660 Cable.

 

[upnorth]

My router (AVM Fritzbox 7590) is since last week already protected against "FragAttacks"

Glad to hear and extra so when it shows that this researchers work with so called responsible disclosure paid off.

 

[Gandalf_The_Grey]

FragAttacks
Lots of news in the last 2 days about newly discovered old “vulnerabilities that affect Wi-Fi devices called “FragAttacks” (which is an awesome name BTW). The press is issuing it’s usual gloom and doom, patch now or you’re finished, dire warnings.

Point one: Wi-Fi Alliance, “There is no evidence of the vulnerabilities being used against Wi-Fi users maliciously.”
Point two direct from FragAttacks: Security flaws in all Wi-Fi devices :
The bad news –
“The discovered vulnerabilities affect all modern security protocols of Wi-Fi, including the latest WPA3 specification. Even the original security protocol of Wi-Fi, called WEP, is affected.”
The good news – “Fortunately, the design flaws are hard to abuse because doing so requires user interaction or is only possible when using uncommon network settings…By default devices don’t send fragmented frames. This means that the mixed key attack and the fragment cache attack, on their own, will be hard to exploit in practice, unless Wi-Fi 6 is used.”

Windows is patched, Linux kernel patches imminent, vendors are patching hardware… Use HTTPS, update your OS, patch your stuff, and go on about your business.
How to update your Home WIFI router – SecurityStudio

Security Advisories / Bulletins linked to FragAttacks
These are links to vendors pages which you can use to find updates for your device.

FragAttacks - TweakHound

Optimize your computing experience, Performance, Tweak, Tweaker, Tweaking Windows, Tweak Guides, Tweakguides, Privacy, Security, Computer How-to, fix computer, Computer news and information, Windows Xp, Windows 7, Windows 10, Linux

www.tweakhound.com

 

[Ink]

No need to panic, see the recommendations below.

My device isn't patched yet, what can I do?​

First, it's always good to remember general security best practices: update your devices, don't reuse your passwords, make sure you have backups of important data, don't visit shady websites, and so on.

In regards to the discovered Wi-Fi vulnerabilities, you can mitigate attacks that exfiltrate sensitive data by double-checking that websites you are visiting use HTTPS. Even better, you can install the HTTPS Everywhere plugin. This plugin forces the usage of HTTPS on websites that are known to support it.

To mitigate attacks where your router's NAT/firewall is bypassed and devices are directly attacked, you must assure that all your devices are updated. Unfortunately, not all products regularly receive updates, in particular smart or internet-of-things devices, in which case it is difficult (if not impossible) to properly secure them.

More technically, the impact of attacks can also be reduced by manually configuring your DNS server so that it cannot be poisoned. Specific to your Wi-Fi configuration, you can mitigate attacks (but not fully prevent them) by disabling fragmentation, disabling pairwise rekeys, and disabling dynamic fragmentation in Wi-Fi 6 (802.11ax) devices.

Source: FragAttacks: Security flaws in all Wi-Fi devices

 

[Brahman]

My router (AVM Fritzbox 7590) is since last week already protected against "FragAttacks"

Its very welcoming to see router makers updates their firmware to cover disclosed vulnerabilities. My router (Mikrotik Hap Ac) yesterday got the update fixing those vulnerabilities.

What's new in 6.48.3 (2021-May-25 06:09):

MAJOR CHANGES IN v6.48.3:
----------------------
!) wireless - fixed all affecting 'FragAttacks' vulnerabilities (CVE-2020-24587, CVE-2020-24588, CVE-2020-26144, CVE-2020-26146, CVE-2020-26147);
----------------------