WiFi standard is vulnerable to critical flaws that have existed since 1997; millions of affected devices

Belgian cybersecurity specialist Mathy Vanhoef reported the finding of multiple vulnerabilities residing in the WiFi standard that could affect any device sold over the past 24 years. The flaws, dubbed “Frag Attacks”, would allow threat actors within the range of a WiFi signal to collect information about the target and even execute malicious code to compromise affected devices, whether it’s a smartphone, computer, or any other connected device.

According to Vanhoef, three of the reported flaws exist due to errors in the design of the WiFi standard, so they affect most modern devices. The rest are vulnerabilities present by some widespread programming errors in the WiFi standard implementation.

The report mentions that each WiFi product is affected by at least one of the security flaws, although most devices currently sold are affected by two or more of these flaws. Vanhoef has also collaborated in the finding and investigation of other WiFi attacks such as KRACK and Dragonblood, which has enabled a safer implementation of this standard in recent times. However, Frag Attacks flaws lie in older areas of the WiFi protocol, which have not been updated for decades.

Below is a list of the discovered flaws:

Design flaws in the WiFi standard:

  • CVE-2020-24588: aggregation attack (A-MSDU frames accepted)
  • CVE-2020-24587: mixed key attack (reassembly of encrypted fragments under different keys)
  • CVE-2020-24586: Fragment cache attack

WiFi standard deployment errors:

  • CVE-2020-26145: Accepting plain text transmission fragments as full frames
  • CVE-2020-26144: Acceptance of plain text A-MSDU frames that begin with an RFC1042 header with EtherType EAPOL
  • CVE-2020-26140: Accepting plain text data frames on a protected network
  • CVE-2020-26143: Acceptance of fragmented plain text data frames on a protected network

Other deployment flaws:

  • CVE-2020-26139: EAPOL frame forwarding even if the sender is not yet authenticated
  • CVE-2020-26146: Reassembly of encrypted fragments with non-consecutive package numbers
  • CVE-2020-26147: Reassembly of encrypted mixed fragments and plain text
  • CVE-2020-26142: Processing fragmented frames as full frames
  • CVE-2020-26141: TKIP MIC of fragmented frames is not verified

The findings have already been presented to the WiFi Alliance, which is already working on correcting these flaws in conjunction with smart device manufacturers. Corrections will arrive in the form of firmware patches. In his report, the expert describes some methods for knowing if a device has been fixed, as well as list a number of mitigations to protect deployments that have not received updates.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.