Security – Blog Wifi

Discovered and named by Mathy Vanhoef (New York University Abu Dhabi) on May 11, 2021, the FragAttacks (fragmentation and aggregation attacks) are a group of a dozen vulnerabilities that affect not only the WEP protocol but also other recent protocols such as WPA3. The vulnerabilities discovered are mainly located in the exchanges with the addition or modification of information, all the terminals connected to the network are therefore vulnerable.

According to Mathy Vanhoef’s research, three of the vulnerabilities are design flaws in the 802.11 standard. The researcher also said that these vulnerabilities are complex to exploit. However, he draws attention to weaknesses related to WiFi implementation flaws at the terminal level, as these can be directly exposed.

I will briefly present below the 3 design flaws of the 802.11 standard, to go into more detail I invite you to read the detailed information provided by Mathy Vanhoef.

1- Aggregation Attack (CVE-2020-24588)

The first design weakness is located in the 802.11 header and more specifically in the “is aggregated” flag, which is neither authenticated nor encrypted during the transmission of the frame. An attacker can therefore modify this field and thus allow a packet injection. An example of an attack would be to transmit a malicious DNS server to a client. After extensive testing by Mathy Vanhoef, it was found that all devices are vulnerable to this attack.

2- Mixed Key Attack (CVE-2020-24587)

The second design weakness in Wi-Fi is in the frame fragmentation function. This feature, in principle, allows the reliability of the connection through the division of large frames into small fragments. Thus, the same key is used to encrypt each fragment of the same frame. However, the receivers are not obliged to check the keys and could gather fragments decrypted with different keys. Even if the cases are rare, it is still possible to exploit this flaw to exfiltrate data. To do this, fragments encrypted with different keys must be mixed.

It must be said that this design flaw is correctable in a backwards compatible way through an exclusive gathering of fragments that have been decrypted with the same key. Since this attack is relatively rare, it is classified as a “theoretical attack”.

3- Fragment Cache Attack (CVE-2020-24586)

The third design weakness of Wi-Fi, like the second, is the frame fragmentation function. The problem lies in the fact that when a user disconnects from the network, the Wi-Fi device does not necessarily delete the fragments from the memory, which have remained uncollected. This can lead to abuse, especially in hotspot networks. This design flaw can lead to data exfiltration through the injection of a malicious fragment into the “fragment cache”. Thus, when the victim sends a fragmented frame after connecting to the access point, the selected fragments are combined with those injected by the adversary. This design flaw can be corrected in a backwards compatible way. This can be achieved by deleting the fragments when “reconnecting” or disconnecting to a network.

4- Some other cases

Another vulnerability that is important to note is the one noticed on some routers that transfer EAPOL frames to another client before the sender even authenticates. Through this vulnerability, attacks can be performed by aggregation by injecting arbitrary frames without any user interaction. The other implementation flaw that is very common concerns receivers that do not check that all fragments belong to the same frame. This flaw can allow other frames to be formed that come from mixing two different frames. Some devices do not support aggregation or fragmentation, but are still vulnerable to attack since they consider fragmented frames to be complete frames. It is possible that this flaw can be used to inject packets.

More details to follow

To go further :

https://www.fragattacks.com/

Published by the Wi-Fi Alliance in 2018, the WPA3 protocol is an updated version of the WPA2 protocol released in 2004. This update allows a better security of exchanges as well as an evolution in connection with the development of uses (multiplication of hotspot, IoT, …).

In despite of the progress in terms of security that WPA3 represents, there are some known vulnerabilities, for example online dictionary attacks, which can be blocked with an IDS/IPS, or some of the Frag Attacks vulnerabilities.

The initial version of WPA3 included the different features presented in the following article, however the final version only requires the EAS. The implementation of the other features remains at the free choice of the manufacturers. The DPP has its own certification.

OWE (Opportunistic Wireless Encryption)

Until the introduction of WPA3, public Wi-FIs are usually configured in open mode and therefore do not have a password. The good practice is to set up a captive portal to force people to authenticate. The fact that this network is not protected exposes us to two major risks: passive eavesdropping and man-in-the-middle attacks.

With the implementation of OWE, we will be able to rule out the possibility of passive eavesdropping on traffic. It describes a method for clients and access points to establish an encrypted session based on a Diffie-Hellman key exchange. The session keys are unique and this is transparent to the user.

DPP Device Provisioning Protocol / Easy Connect™

The DPP protocol is being implemented to address the security weaknesses of WPS (Wi-Fi Protected Access) and to facilitate the deployment of IoT objects. Unlike its predecessor with DPP allows authenticating devices on the network without passwords using QR codes or NFC tags.

This feature is not mandatory to obtain the WPA3 certification from the Wi-Fi Alliance, this feature is part of the Easy Connect Wi-fi Certified program.

Protected management Frames

One of the classic attack vectors of WPA2 Personnal is the capture of authentication exchanges that can later allow to perform an offline dictionary attack in order to break the PSK. To do so, the attacker can send deauthentication frames to force the client to initiate a new connection process and thus generate the frames desired by the attacker.

This protection of management frames is not a new feature of WPA3, it existed in previous versions, but it has been further developed.

Simultaneous Authentication of Equals (SAE)

In order to overcome the above-mentioned attack which consists in capturing the handshake and then breaking it offline with a dictionary, WPA3 uses a new key negotiation mechanism based on Dragonfly exchange. During negotiation, the keys are never sent, which eliminates the threat of an attacker capturing the 4-way handshake and then performing an offline attack. This key exchange mechanism is already implemented for 802.11s mesh networks.

Contribution of elliptic curves

One of the first changes in WPA3 compared to WPA2 is the generation of keys. WPA3 introduces the use of elliptic curves in Diffie-Hellman exchanges (DHCE) to reduce the size of the keys and therefore the resources needed for encryption. For example, for a 128-bit AES encryption the public key has a size of 3072 bits with the use of the Modular Exponential algorithm (MODP) against 256 bits with the use of ECDH.

To go further :

WPA3, OWE and DPP | Hemant Chaskar | WLPC Phoenix 2019 | Wireless LAN Professionals

Tag: Security

Frag Attacks

WPA3 Overviewcw