Tech Industry Quietly Patches FragAttacks Wi-Fi Flaws That Leak Data, Weaken Security (theregister.com) 37
An anonymous reader quotes a report from The Register: A dozen Wi-Fi design and implementation flaws make it possible for miscreants to steal transmitted data and bypass firewalls to attack devices on home networks, according to security researcher Mathy Vanhoef. On Tuesday, Vanhoef, a postdoctoral researcher in computer security at New York University Abu Dhabi, released a paper titled, "Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation" [PDF]. Scheduled to be presented later this year at the Usenix Security conference, the paper describes a set of wireless networking vulnerabilities, including three Wi-Fi design flaws and nine implementation flaws. Vanhoef, who in 2017 along with co-author Frank Piessens identified key reinstallation attacks (KRACKs) on the WPA2 protocol (used to secure Wi-Fi communication), has dubbed his latest research project FragAttacks, which stands for fragmentation and aggregation attacks.
The dozen vulnerabilities affect all Wi-Fi security protocols since the wireless networking technology debuted in 1997, from WEP up through WPA3. [...] In total, 75 devices -- network card and operating system combinations (Windows, Linux, Android, macOS, and iOS) -- were tested and all were affected by one or more of the attacks. NetBSD and OpenBSD were not affected because they don't support the reception of A-MSDUs (aggregate MAC service data units). [...]
Patches for many affected devices and software have already been deployed, thanks to a nine-month-long coordinated responsible disclosure overseen by the Wi-Fi Alliance and the Industry Consortium for Advancement of Security on the Internet (ICASI). Linux patches have been applied and the kernel mailing list note mentions that Intel has addressed the flaws in a recent firmware update without mentioning it. Microsoft released its patches on March 9, 2021 when disclosure was delayed tho Redmond had already committed to publication. Vanhoef advises checking with the vendor(s) of Wi-Fi devices about whether the FragAttacks have been addressed. "[F]or some devices the impact is minor, while for others it's disastrous," he said.
The dozen vulnerabilities affect all Wi-Fi security protocols since the wireless networking technology debuted in 1997, from WEP up through WPA3. [...] In total, 75 devices -- network card and operating system combinations (Windows, Linux, Android, macOS, and iOS) -- were tested and all were affected by one or more of the attacks. NetBSD and OpenBSD were not affected because they don't support the reception of A-MSDUs (aggregate MAC service data units). [...]
Patches for many affected devices and software have already been deployed, thanks to a nine-month-long coordinated responsible disclosure overseen by the Wi-Fi Alliance and the Industry Consortium for Advancement of Security on the Internet (ICASI). Linux patches have been applied and the kernel mailing list note mentions that Intel has addressed the flaws in a recent firmware update without mentioning it. Microsoft released its patches on March 9, 2021 when disclosure was delayed tho Redmond had already committed to publication. Vanhoef advises checking with the vendor(s) of Wi-Fi devices about whether the FragAttacks have been addressed. "[F]or some devices the impact is minor, while for others it's disastrous," he said.
Let's beat people up. (Score:1)
Because all nerds know that beating people up is a sign of manhood.
Wait, no: it's the sign of a bully. Or Nazi.
Note the need for defense in depth (Score:4, Insightful)
This is one of the reasons that "we have a firewall, no one can see our internal network" is not a sound security approach. It should be seen as encouragement for end-to-end encryption and sensible firewall use on individual devices as well as on routers. The question is not one of "why would anyone be interested in us", it is "when will a random hack in you neighborhood, or with a rootkitted student device in your neighborhood, see your available wifi and probe it?"
Re:Note the need for defense in depth (Score:4, Insightful)
Sorry, but wireless is an untrusted network as far as I'm concerned.
For years I've VPN'd over it even to my own local systems (which saved me from WEP and WPA1 attacks). The latency and CPU use in doing is negligible even for a mobile phone.
I also treat the wireless adaptor as "untrusted" in all software firewalls and I never join other's open Wifi network (e.g. airports, etc.). I just use 4G and then VPN over that instead.
Any wireless radio technology is going to fall foul of some attack sooner or later. But I don't think they'll be able to do that AND fool my VPN into accepting a connection to anything that's not actually the other side of my VPN. At worst, it won't work or present verification/certificate errors, which will heighten my focus on exactly what's tinkering with my network.
VPN over your wifi to your own router (a decent router with VPN built in for the local network!) and distrust (i.e. firewall) all raw wireless interfaces. It's a standard option on phones, desktop operating systems and any decent router.
Then even if WPA3 turns out to be okay, it's just double-insultation, but if it's ever compromised? Who cares? You can literally sniff every packet I ever send over Wifi and interfere with them to your heart's content. The worst you'll do is stop things working which will flag up things for my attention when they stop connecting because they can't do so securely.
Re: (Score:2)
Not all VPN protocols or options within the protocols are as secure as advertised though, so be careful there. Nothing protects against RF DoS of course.
But even with an IPSec interface up, you still have to trust the OS to just chuck all the cleartext garbage still arriving on the network. Not so easy with commodity devices. They loves them some multicast service discovery protocols.
Re: (Score:2)
> Sorry, but wireless is an untrusted network as far as I'm concerned.
There is no need to apologize to me. I'm not someone who insists that internal networks, especially including wifi, are safe from abuse and can be treated as locally secure.
> But I don't think they'll be able to do that AND fool my VPN into accepting a connection to anything that's not actually the other side of my VPN.
That brings us to defense in depth. Your device running the VPN software itself needs to be reasonably secure, les
Re: (Score:2)
and I never join other's open Wifi network (e.g. airports, etc.). I just use 4G and then VPN over that instead.
What.
Random cellular relay is every bit as untrustworthy as random WiFi.
Personally, I don't care because I don't trust my cell phone either. It doesn't get access to anything more valuable than a Slashdot password.
Re: (Score:2)
Personally, I don't care because I don't trust my cell phone either.
Nor do I, which is why I use one running an OS I wrote myself. And the hardware is silicon I created in my own foundry using sand dug from three different randomly-selected beaches.
Even then, I don't do any online banking with it.
Re:Note the need for defense in depth (Score:4, Insightful)
I've taken to wiring in anything important and WiFi is internet access only, no LAN.
I was thinking about ditching 2.4GHz long range as well and just using 5GHz on very low power, per-room, so that it's very difficult to access from outside the building. I thought of tinfoil wallpaper but my wife vetoed it.
Re: (Score:1)
I have my WiFi network set up in a similar fashion (outbound Internet traffic only) and can't access any local resources over WiFi. Hard lines (i.e. physical cables) only to local resources. Sneakernet/airgap for truly secure systems. There are very few, if any, legitimate situations where WiFi to anywhere but the outbound Internet is actually necessary. No traffic should be able to get into your LAN from the Internet either (zero open ports, no VPN). Problem solved.
Convenience is the enemy of security
Re: (Score:2)
Re: (Score:1)
"I've also carefully surrounded my place with neighbours whose barely-secure WiFi networks are much easier targets than mine."
Ohhhh. I see what you did there. You brilliant, mad genius. You went to your neighbor's houses as your local neighborhood IT person and changed their network password to "password123". Potentially available, free bandwidth if your own Internet connection goes down AND there's low-hanging fruit for wardrivers.
Security and popularity. (Score:2)
...(Windows, Linux, Android, macOS, and iOS) -- were tested and all were affected by one or more of the attacks. NetBSD and OpenBSD were not affected because they don't support the reception of A-MSDUs (aggregate MAC service data units). [...]
The two most security conscious open-source distributions.
Re: (Score:2)
I'm not sure I'd put that one down to being security conscious they could just be way behind on feature set implementation.
Really it's down to the individual driver level. It's the driver implementation flaws that give these attacks their teeth. WIthout those, I think (?) the best you can do is launch an expensive attack to try to leak key bits. With them... well... injecting plaintext packets and having the device honor them is a bus-sized hole.
So each card/OS combination needs individual assessment.
Closed-source problems (Score:4, Insightful)
Given that the Wifi standard is so widespread/adopted, you'd think they (the Wifi Alliance) would open their standards up for review, prior to finalization/deployment, to have knowledgeable researchers catch these design flaws first, instead of requiring membership/payment to even be able to look at the standard.
Until they open things up, or the industry switches to a ful and openly published standard, we'll keep seeing these flaws happen.
Re: (Score:2)
Until they open things up, or the industry switches to a ful and openly published standard, we'll keep seeing these flaws happen.
Like...SSL. ;-)
Re: (Score:2)
At least with SSL (ie. openSSL, likely other libraries also) it's open source and can be looked at without an entry fee.
Re: (Score:1)
They mean the heartbleed vulnerability. The thing missed by Many Eyes.
Re: (Score:2)
They mean the heartbleed vulnerability. The thing missed by Many Eyes.
They mean the heartbleed vulnerability. The thing missed by Many Eyes.
True - opensource doesn't automatically mean every line of code is scrutinized and problems immediately picked up on - this is where people dedicated to seek out these kinds of problems can make a good impact; however as with everything, requires funding to get done properly.
Couple questions, I did read the first article (Score:2)
1) Are routers vulnerable to this?
2) Are there Android vulnerabilities (most of the tablets I have are at 4.4 or less with no patches available for years)?
Re: (Score:2)
One of the demonstrated attacks does inject a forged packet into a WiFi router.
It's a WiFi driver thing. Depends on the hardware, firmware, and software.
(Except for the handling of the bit in question. That's being described as a standards flaw... though there is a feature in the standard to validate that bit it may be a while till enough devices support it to be able to turn that on. But fixing the driver problems makes it really hard to do much with the flaw.)
Another Reason to Love BSD (Score:2)
Same as western set top box manufacturers (Score:1)
Network cables for the win (Score:1)
Another shining example why using a network cable at home is superior to wireless. This is in addition to a more stable and faster connection.
But yeah, people are lazy so they'll keep using wireless then complain when things go wrong.
Re:Network cables for the win (Score:4, Insightful)
Ah yes, everything we don't understand is "lazy". You try wiring up a building that's older than you are and see just how "lazy" that turns out to be.
Re: (Score:3)
Ah yes, everything we don't understand is "lazy". You try wiring up a building that's older than you are and see just how "lazy" that turns out to be.
I used to get assigned jobs running cable in local government offices, thick walls everywhere. Find a tool rental and get the biggest electric hammer drill with extra long bits they have. You will laugh as it cuts through any wall in its path. It makes hellish exit wounds in a wall so work low and behind cover.
Re:Network cables for the win (Score:5, Insightful)
Using a phone or tablet is 'lazy'? Wanting to use a laptop from mulitple locations (like the backyard) is 'lazy'?
Re: (Score:2)
Using a phone or tablet is 'lazy'? Wanting to use a laptop from mulitple locations (like the backyard) is 'lazy'?
Obviously not.
Plugging a USB WiFi adapter into your desktop computer instead of running a CAT5 cable is lazy.
Re: (Score:2)
WiFi has some advantages in that wired traffic doesn't usually require any authentication to access, just physical access to a port on the wall. The AP/router are more easily physically secured than tens of outlets scattered around the home. And nobody these days buys a switch with access security features for their TV room.
(Nor do commodity household APs prevent packet spoofing on the WiFi network to be fair, I had to go find a little-known github project that implemented it and graft it into OpenWRT mys
Re: (Score:2)
Re: (Score:2)
The APs I administer require a DHCP transaction before forwarding traffic from a client and then only accept IP traffic from that IP/MAC tuple (and handle ARP via proxy so there's no way to poison the table). Sure you could spoof a packet using the same IP/MAC tuple but you don't have the correct session key to encrypt it, so it will be thrown out if you do.
I administer enterprise class APs, but this can be implemented on home routers (even networks thereof) if they can run OpenWRT and I've done so. But i