Fragmentation and aggregation attacks, or FragAttacks for short, are a collection of vulnerabilities affecting Wi-Fi devices. The vulnerabilities were discovered by Mathy Vanhoef, who also co-discovered the Wi-Fi KRACK attacks in 2017. The way that the attack is carried out takes place when a malicious actor who is within range of a target’s Wi-Fi network can leverage these vulnerabilities to access user information and attack the target’s devices.
The FragAttacks vulnerabilities are a combination of design and implementation vulnerabilities, writes Jonathan Knudsen, senior security strategist, Synopsys Software Integrity Group. Design vulnerabilities happen before any code is written—for example, a bank website that doesn’t require a login has an obvious design vulnerability. Implementation vulnerabilities, or bugs, happen when developers make mistakes while they are writing software—for example, a login page can have a SQL injection vulnerability if the developer is not sufficiently careful about handling user input. Implementation vulnerabilities can also include bugs that are in third-party, open source components that are used as the building blocks for software.
Affecting all modern Wi-Fi security protocols, three of the FragAttacks vulnerabilities are design flaws, and they are probably as old as the 802.11 specification itself. Aggregation was added in 802.11n, which means this vulnerability has been in the design for over 10 years.
The worst of the design flaws allows an attacker to inject extra packets to WLAN frames. A victim is tricked into accessing the attacker’s machine on the internet side, or the victim’s access point contains a vulnerability that allows forwarding EAPOL frames. This attack modifies DNS configuration by sending an ICMPv6 router advertisement.
Fragmentation design flaws allow frame fragments to be reassembled incorrectly. Currently these two vulnerabilities don’t have exploitation usage because they require that the client uses fragmentation, which is not that common. However, it is used with Wi-Fi 6.
Nine of the FragAttacks vulnerabilities are implementation flaws. As the name implies, these flaws are triggered with fragmentation and aggregation anomalies. One of the implementation flaws is similar to one found with Defensics® FuzzBox 802.11 test suites.
Four of the nine implementation flaws involve sending plaintext frames into an encrypted network. One the implementation flaws is similar to a CVE discovered by Synopsys using Defensics test suites. Interestingly, the vulnerable USB adapter contained the same chipset used in the access points Synopsys used in its own tests. This highlights the complexity of WLAN and just how many devices are in the ecosystem.
One of the plaintext attacks broadcasted fragments that were parsed as full frames in an encrypted network. Another was almost identical in that the plaintext frame fragments were parsed as full frames in an encrypted network. The third plaintext attack added EtherType to EAPOL and was handled as an encrypted frame. These plaintext attacks are trivial to inject and can be used for exploits.
The remaining five FragAttacks involve mixed fragments. Some are encrypted and some are plaintext, but vulnerable devices process the fragments as full frames and forward EAPOL frames without checking the MIC calculation with TKIP cipher suite (WPA1). All are severe vulnerabilities and should necessitate an update to firmware and drivers for wireless LAN equipment.
FuzzBox 802.11 test suites were able to detect a FragAttack that was sending plaintext into an encrypted network. Often vulnerabilities like FragAttacks are challenging to detect via fuzzing because they don’t make the system reboot or stop functioning while testing. Instead, the system under test behaves as if nothing has happened.
To detect vulnerabilities like FragAttacks, QA teams need to apply good instrumentation. Defensics test suites have a feature called SafeGuard, which can be implemented to detect vulnerabilities like these. Defensics FuzzBox 802.11 test suites have already found parts of FragAttacks using the SafeGuard feature. Synopsys is always improving its state-of-the-art WLAN test suites to find more unknown high-impact vulnerabilities.
The FragAttacks vulnerabilities are a good illustration of the difficulty of building secure and robust software. Security must be a consideration at every phase of development, from design through implementation, testing, and maintenance.
Design flaws can only be found by humans. System, protocol, and application design documents must be rigorously reviewed from a security standpoint and revised to address shortcomings.
Implementation flaws, on the other hand, can be found by automated security tools, including fuzzers and others such as static analysis (SAST), software composition analysis (SCA), and more.
Network protocol implementations benefit particularly from fuzzing, a technique in which malformed and unexpected inputs are delivered to the target software to find out if a failure can be triggered. Using fuzzing to locate flaws, then fixing them before releasing software, results in products that are more secure and more robust. In turn, this means lower risk and fewer patches throughout the ecosystem.