What Happened?
A new set of Wi-Fi vulnerabilities have been discovered by Mathy Vanhoef and released on May 11, 2021. These vulnerabilities are core to the design and implementation of the IEEE 802.11 standard affecting almost all Wi-Fi capable devices, and include the following CVEs:
CVE | Description |
---|---|
CVE-2020-24586 | Not clearing fragments from memory when (re)connecting to a network |
CVE-2020-24587 | Reassembling fragments encrypted under different keys |
CVE-2020-24588 | Accepting non-SPP A-MSDU frames |
CVE-2020-26139 | Forwarding EAPOL frames even though the sender is not yet authenticated |
CVE-2020-26140 | Accepting plaintext data frames in a protected network |
CVE-2020-26141 | Not verifying the TKIP MIC of fragmented frames |
CVE-2020-26142 | Processing fragmented frames as full frames |
CVE-2020-26143 | Accepting fragmented plaintext data frames in a protected network |
CVE-2020-26144 | Accepting plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrypted network) |
CVE-2020-26145 | Accepting plaintext broadcast fragments as full frames (in an encrypted network) |
CVE-2020-26146 | Reassembling encrypted fragments with non-consecutive packet numbers |
CVE-2020-26147 | Reassembling mixed encrypted/plaintext fragments |
As noted in the original post, Mathy states:
The discovered vulnerabilities affect all modern security protocols of Wi-Fi, including the latest WPA3 specification. Even the original security protocol of Wi-Fi, called WEP, is affected. This means that several of the newly discovered design flaws have been part of Wi-Fi since its release in 1997! Fortunately, the design flaws are hard to abuse because doing so requires user interaction or is only possible when using uncommon network settings. As a result, in practice the biggest concern are the programming mistakes in Wi-Fi products since several of them are trivial to exploit.
These vulnerabilities are not restricted to specific devices from specific vendors; over 75 devices from different vendors were tested by Mathy and his team, and all of them were vulnerable to one or more of the discovered attacks.
How does it affect Byos products?
Since the release of these vulnerabilities, our security team has been performing ongoing tests on Byos µGateways using these vulnerabilities.
Byos-protected endpoints may be affected by a subset of these attacks based on the design flaws found:
CVE-2020-24588: Aggregation attack
CVE-2020-24587: Mixed key attack
CVE-2020-24586: Fragment cache attack
Even though Byos devices are technically vulnerable, successfully exploiting these vulnerabilities against a device protected by the Byos µGateway is more difficult than exploiting the device itself for a few reasons:
Byos adds a layer of abstraction to the device physically present in the network, meaning running a successful exploit against the device is much less likely given the in-device Wi-Fi is turned off.
Each Byos µGateway runs its own encrypted DNS server and is isolated from the host machine, DNS poisoning is much more difficult to achieve.
Byos has Evil Twin Wi-Fi and Man-in-the-Middle protection features, reducing the attackers ability to manipulate the traffic or the connection.
After a thorough evaluation from our security team, we conclude that using a Byos µGateway still provides more security than otherwise using your device’s native Wi-Fi connection.
We will continue to update this page as our security team uncovers more information about these vulnerabilities. An update will be available shortly.
Extra steps for precaution
In practice, these vulnerabilities are difficult to exploit, however follow these basic security best practices to minimize your risk:
Only visit websites that have implemented HTTPS
Update all of your devices on a regular basis
Don’t reuse or share passwords
Use a Byos µGateway when connecting to untrusted Wi-Fi networks
For more information, please visit https://www.fragattacks.com/.