CommScope's COVID-19 Customer & Partner Hub Visit
By Jim Palmer
On May 11th, 2021, Mathy Vanhoef (New York University Abu Dhabi) published a new paper on a number of vulnerabilities he has discovered within the base 802.11 protocol (802.11 is the standard that Wi-Fi is built on). Mathy is not new to the world of Wi-Fi research, having published previous papers you might have heard of. KRACK in 2017 with 10 unique vulnerabilities with WPA2-PSK and then Dragonblood in 2019 with an additional 14 unique vulnerabilities with WPA3-SAE. For this report, known as “FragAttacks”, Mathy has focused not on the encryption used to secure Wi-Fi communications but on the way that stations (both APs and client devices, or “STAs”) handle breaking down and then reassembling the data they are sending over the air.
Read the full FragAttacks report from Mathy Vanhoef.
As before, Mathy Vanhoef and team have done some ground-breaking research and documentation and disclosed their findings in a responsible fashion, allowing not just CommScope RUCKUS, but the entire industry, to prepare updates ahead of this release.
From a high level, these recent vulnerabilities focus on the way that STAs break down the traffic they need to send over the air, and then how the other end receives that data and then reassembles it into information that can either be sent further along its path towards its final destination (what an AP does) or then presented to the end user (what the client device does, i.e., showing the user a video). This breaking down of data into manageable sizes (fragmentation) to then be transported to the other end for reassembly (aggregation) has been going on since the beginning of Ethernet. Since Wi-Fi is based on the Ethernet standard, this means that these vulnerabilities have existed since Wi-Fi was introduced in 1997. What makes Wi-Fi vulnerable with this process is the uncontrolled medium that this data is sent across (the RF channel) whereas with wired Ethernet it is much harder for someone to gain access to that medium (the cable and the network infrastructure) in an attempt to exploit this process.
Read the CommScope RUCKUS FragAttacks FAQ.
As STAs fragment data to be sent over the air, that data doesn’t break down into nice and neat sizes, much to the chagrin of many a network engineer. There exist leftovers and smaller “chunks” of data that don’t fill up the allotted space that still needs to be sent. Think of the last bag of potato chips you bought for a party that when you opened it up, the chips only filled up half of that big bag. The rest was empty; just open air waiting to be filled. What Mathy and team figured out is how to identify these fragments and then to exploit the empty space left over when those smaller chunks of data are sent. With a successful exploit of that empty space, an attacker can then stage data that is stored in the STA waiting for the rest of the data to be received, possibly injecting malicious data or commands for that device to perform later, either immediately or possibly even minutes after successful injection.
Also at risk is the way that STAs identify and/or number these fragments and store them to be reassembled before taking the next step. While complicated to exploit, these specific vulnerabilities have some of the most critical impacts based on the attacker’s ability to simply send specifically crafted frames directly to the STAs and bypass any safeguard implemented by the network configuration (Enterprise security, client isolation, etc.).
As for what this means for you, we have some tips and advice to guide you through this announcement. If you remember the KRACK blog, some of this might sound eerily familiar.
Read the full report on FragAttacks. Wi-Fi has come a long way since 1997 (when it was first released and some of these vulnerabilities were first introduced) and there isn’t any reason to think now is the time to stop using it. As knowledge about, interest into, and dependency on Wi-Fi has grown, network operators need to grow along with it. Utilize the tools and techniques that are available today to help keep your networks and end users secure. Modern information security is all about defense in layers, and we are all in this together to successfully keep our networks secure and running at a high level.