Security Advisory: Wi-Fi Fragmentation and Aggregation Attacks
What Happened?
A new set of Wi-Fi vulnerabilities has been discovered by Mathy Vanhoef and was released on May 11, 2021. These vulnerabilities are core to the design and implementation of the IEEE 802.11 standard affecting almost all Wi-Fi capable devices, and include the following CVEs:
CVE | Description |
|---|---|
CVE-2020-24586 | Not clearing fragments from memory when (re)connecting to a network |
CVE-2020-24587 | Reassembling fragments encrypted under different keys |
CVE-2020-24588 | Accepting non-SPP A-MSDU frames |
CVE-2020-26139 | Forwarding EAPOL frames even though the sender is not yet authenticated |
CVE-2020-26140 | Accepting plaintext data frames in a protected network |
CVE-2020-26141 | Not verifying the TKIP MIC of fragmented frames |
CVE-2020-26142 | Processing fragmented frames as full frames |
CVE-2020-26143 | Accepting fragmented plaintext data frames in a protected network |
CVE-2020-26144 | Accepting plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrypted network) |
CVE-2020-26145 | Accepting plaintext broadcast fragments as full frames (in an encrypted network) |
CVE-2020-26146 | Reassembling encrypted fragments with non-consecutive packet numbers |
CVE-2020-26147 | Reassembling mixed encrypted/plaintext fragments |
As noted in the original post, Mathy states:
The discovered vulnerabilities affect all modern security protocols of Wi-Fi, including the latest WPA3 specification. Even the original security protocol of Wi-Fi, called WEP, is affected. This means that several of the newly discovered design flaws have been part of Wi-Fi since its release in 1997! Fortunately, the design flaws are hard to abuse because doing so requires user interaction or is only possible when using uncommon network settings. As a result, in practice the biggest concern are the programming mistakes in Wi-Fi products since several of them are trivial to exploit.
These vulnerabilities are not restricted to specific devices from specific vendors; over 75 devices from different vendors were tested by Mathy and his team, and all of them were vulnerable to one or more of the discovered attacks.
Does this affect Byos products?
This set of vulnerabilities affects every Wi-Fi enabled device on the planet.
Our security team has been performing ongoing tests on Byos µGateways since the release of these vulnerabilities.
Byos-protected endpoints may be affected by a subset of these attacks based on the design flaws found in:
CVE-2020-24588: Aggregation attack
CVE-2020-24587: Mixed key attack
CVE-2020-24586: Fragment cache attack
How does Byos protect against these vulnerabilities?
Even though Byos devices operate under the 802.11 standard and therefore are technically vulnerable, successfully exploiting these vulnerabilities against a device protected by the Byos µGateway is much less likely to occur, due to the following reasons:
Byos adds a layer of abstraction to the device physically present in the network, isolating the attacker from its victim
Each Byos µGateway runs its own encrypted DNS server and is isolated from the host machine, therefore DNS poisoning is much more difficult to achieve
Byos has Evil Twin Wi-Fi and Man-in-the-Middle protection features, reducing the attackers ability to manipulate the user’s session, traffic, or connection
After a thorough evaluation from our security team, we concluded that using a Byos µGateway provides more security than otherwise using your device’s native Wi-Fi connection.
We will continue to update this page as our security team uncovers more information about these vulnerabilities. A Software update will be published by Byos shortly.
Extra steps for precaution
In practice, these vulnerabilities are difficult to exploit; However, we recommend you follow these basic security best practices to minimize your risk:
Only visit websites that have implemented HTTPS
Update all of your devices on a regular basis
Don’t reuse or share passwords
Use a Byos µGateway when connecting to untrusted Wi-Fi networks
For more information, please visit https://www.fragattacks.com/.