Wi-Fi FragAttacks

As before, Mathy Vanhoef and team have done some ground-breaking research and documentation and disclosed their findings in a responsible fashion, allowing not just CommScope RUCKUS, but the entire industry, to prepare updates ahead of this release.

From a high level, these recent vulnerabilities focus on the way that STAs break down the traffic they need to send over the air, and then how the other end receives that data and then reassembles it into information that can either be sent further along its path towards its final destination (what an AP does) or then presented to the end user (what the client device does, i.e., showing the user a video). This breaking down of data into manageable sizes (fragmentation) to then be transported to the other end for reassembly (aggregation) has been going on since the beginning of Ethernet. Since Wi-Fi is based on the Ethernet standard, this means that these vulnerabilities have existed since Wi-Fi was introduced in 1997. What makes Wi-Fi vulnerable with this process is the uncontrolled medium that this data is sent across (the RF channel) whereas with wired Ethernet it is much harder for someone to gain access to that medium (the cable and the network infrastructure) in an attempt to exploit this process.

Read the CommScope RUCKUS FragAttacks FAQ.

As STAs fragment data to be sent over the air, that data doesn’t break down into nice and neat sizes, much to the chagrin of many a network engineer. There exist leftovers and smaller “chunks” of data that don’t fill up the allotted space that still needs to be sent. Think of the last bag of potato chips you bought for a party that when you opened it up, the chips only filled up half of that big bag. The rest was empty; just open air waiting to be filled. What Mathy and team figured out is how to identify these fragments and then to exploit the empty space left over when those smaller chunks of data are sent. With a successful exploit of that empty space, an attacker can then stage data that is stored in the STA waiting for the rest of the data to be received, possibly injecting malicious data or commands for that device to perform later, either immediately or possibly even minutes after successful injection.

Also at risk is the way that STAs identify and/or number these fragments and store them to be reassembled before taking the next step. While complicated to exploit, these specific vulnerabilities have some of the most critical impacts based on the attacker’s ability to simply send specifically crafted frames directly to the STAs and bypass any safeguard implemented by the network configuration (Enterprise security, client isolation, etc.).

As for what this means for you, we have some tips and advice to guide you through this announcement. If you remember the KRACK blog, some of this might sound eerily familiar.

1. Stay calm. Vulnerabilities exist with STAs on both sides of the Wi-Fi conversation so patches and updates will need to be installed ASAP.
   1. None of these vulnerabilities deal with the encryption or cryptography used in any of the WPA2/3 protocols. In fact, the researchers point to the number of advancements that have been made in these areas as of late.
   2. While not unscathed, Enterprise grade APs, like RUCKUS APs, have fewer vulnerabilities than home/consumer grade APs. Patches will need to be installed for the vulnerabilities that do affect RUCKUS APs.
   3. Impact to client devices varies greatly depending on make and model so watch for those device patches as they are released. Several of the vulnerabilities deal specifically with how and what STAs receive and process, independent of the bigger network vendor or topology.
   4. The majority of the vulnerabilities rely on either a Man-In-The-Middle (MITM) position, Social Engineering (phishing emails, vishing calls), or both, in order to exploit the vulnerability.
2. These vulnerabilities aren’t trivial to exploit. While the research discloses the tools and methods used to discover the vulnerabilities, these are not simple attacks to carry out. While still impactful and needing to be remediated, don’t expect to see a rash of these attacks.
   1. To be successful, the attacker would need to be sophisticated, onsite, and armed with specialized hardware with specific drivers. Some of the vulnerabilities rely on both MITM and Social Engineering being successful in conjunction with patience on the attacker’s part. Not all of these attacks are instantaneous.
   2. Most of the vulnerabilities discovered with the connection between STAs require multiple steps in a specific order to be successful. A failure at any step causes the entire attack to fail.
   3. All current certificates and Wi-Fi passwords are still secure. None of these attacks compromise that aspect of Wi-Fi; in fact, some of the vulnerabilities were discovered during attempts to work around not being able to compromise Wi-Fi security.
   4. While networks that use WEP and TKIP have additional vulnerabilities, these have been “broken” for years. If your network or devices are still using these, now would be an even better time to do something about it.
   5. Establishing a successful MITM position at the correct stage of the attack to manipulate frames being sent isn’t easy. This requires precise timing and networks that allow this to happen. MITM is hard enough to deploy, but needing specific timing makes it more difficult to successfully implement.
3. Steps you can take now. Just as with KRACK in 2017, there are specific steps that can be taken now to make these attacks harder, if not impossible, to carry out in a production network.
   1. Patch both your APs and client devices as soon as those patches are released. Certain vulnerabilities only need one device in the network to be vulnerable, and it can be a client device, not just an AP.
   2. Mitigate the possibility of a MITM attack. By default, RUCKUS has Rogue AP, MAC Spoofing, SSID Spoofing detection, as well as disassociation flood and deauthentication flood detection. These are all hallmarks of a MITM device setting up and positioning itself in the environment. The first step in fixing a problem is knowing that you have that problem in the first place.
   3. Educate yourself, your team, and your friends and family about the latest phishing and vishing techniques. Tricking the end user into revealing information or clicking on malicious links is the fastest, easiest, and most target rich environment that exists today. An ounce of prevention today is worth its weight in Bitcoin tomorrow.
   4. Start planning to use the latest standards and encryption techniques for your networks. WPA3-Enterprise contain safety precautions to help prevent MITM attacks by mandating 802.11w (Protected Management Frames) which can stop the first step of a MITM attack.
   5. Learn the different EAP (Extensible Authentication Protocol) types associated with WPA2/3-Enterprise and plan to deploy them on your network. Not all EAP types are the same, and there are types that are “more secure” than others.
   6. For devices that don’t support WPA2/3-Enterprise, consider using Dynamic Pre-Shared Key (DPSK) from RUCKUS for the network. Hotspot type networks that use a password posted on a wall or online are a risk that doesn’t need to be taken.
   7. Go to the RUCKUS Support Site for FragAttacks to learn more about RUCKUS countermeasures and patch release information.

Read the full report on FragAttacks. Wi-Fi has come a long way since 1997 (when it was first released and some of these vulnerabilities were first introduced) and there isn’t any reason to think now is the time to stop using it. As knowledge about, interest into, and dependency on Wi-Fi has grown, network operators need to grow along with it. Utilize the tools and techniques that are available today to help keep your networks and end users secure. Modern information security is all about defence in layers, and we are all in this together to successfully keep our networks secure and running at a high level.

Post by Jim Palmer. View the original.