KRACK (Key Reinstallation Attacks) attacks were reported several years ago. The so-called tools that allow you to exploit critical vulnerabilities in the WPA2 protocol, which are considered quite reliable. KRACK allows you to bypass security and listen to traffic in a wireless network at the “access point – computer” section.

Now one of the organizers of the group that talked about KRACK in 2017 revealed several more vulnerabilities. There are 12 of them in total, and each of them is critical because it affects a wide range of wireless devices. The author of the work in question is Mathy Vanhoef. According to him, the attacks, which he provided information about, pose a threat to the vast majority of popular wireless devices – both consumer and corporate.

What are these attacks?

The developer combined all 12 vulnerabilities into one “package”, which was called FragAttacks – much like the other attacks were called KRACK 4 years ago. Then the presented tools used a method of reinstalling encryption keys that protect WPA2 traffic. Now the situation is somewhat different.

Tools can be roughly divided into two categories:

  1. The first includes 3 vulnerabilities that have been identified in Wi-Fi standards. It affects absolutely all devices that support the set of IEEE 802.11 standards. According to the developers, some vulnerabilities were relevant even in 1997, they also allow you to hack a wireless device and compromise the network now.
  2. The second group includes 9 particular problems that are already related to specific implementations of wireless stacks. That is, each vulnerability in this group is caused by the presence of bugs or technical problems in the stacks.

Despite the fact that the first group at first glance seems more dangerous than the second, the situation is different. With regard to the first group, the situation is as follows. There is a set of standards, some standards have common vulnerabilities. But in order to competently exploit these common vulnerabilities of the standards, it is necessary for the victim to perform a certain series of actions.

Much more effort should be made to mitigate the threat posed by the vulnerabilities of the second group. No scripts are required here, and vulnerabilities are relevant regardless of which security protocol is used – WPA2, WPA3, or something else.

Full list

The developer named all 12 vulnerabilities. Below is a brief description of the vulnerabilities and problems associated with them.

First group

CVE-2020-24588. The vulnerability allows an attack on aggregated frames to be implemented. An example of an attack is redirecting a user to a malicious DNS server or bypassing the address translation mechanism.

CVE-2020-245870. Key mixing, whereby an attacker can determine the data that is sent by the client. An example is the definition of the content of a Cookie when accessed over HTTP.

CVE-2020-24586. An attack on the chunk cache, which makes it possible to replace the client data with the data of the attacker.

Second group

CVE-2020-26140 and CVE-2020-26143 enable framing for a range of access point and wireless card models. An attacker can use them to inject data frames regardless of the current network configuration.

CVE-2020-26145. Gives an attacker the ability to inject arbitrary network packets regardless of network configuration. Almost any network with WEP, WPA2, and WPA3 security is vulnerable. The problem here is treating broadcast unencrypted chunks as full frames.

CVE-2020-26144. Affected Wi-Fi implementations accept plaintext A-MSDU frames as long as the first 8 bytes match a valid RFC1042 header (i.e. LLC / SNAP) for EAPOL. An attacker is able to inject arbitrary network packets regardless of the network configuration.

CVE-2020-26139. Allows the redirection of EAPOL-flagged frames sent by an unauthorized source. This vulnerability is common to many of the tested access points.

CVE-2020-26142. Fragmented frames are treated as complete frames.

CVE-2020-26141. No TKIP MIC check for fragmented frames.

CVE-2020-26146. Allows you to reassemble encrypted fragments without checking the order of the numbers of these fragments.

CVE-2020-26147. Provides the ability to rebuild mixed, encrypted, and unencrypted frames.

Exploiting vulnerabilities

Mathy Vanhoef showed the implementation of exploitation of vulnerabilities in the video, where he not only shows everything but also tells.

In short, most of the vulnerabilities make it possible to implement L2 frame substitution in a network protected by a particular protocol. This, as in the case of KRACK, allows an attacker to gain access to the victim’s traffic and start analyzing it.

The most accessible way for an attacker to do this is by spoofing DNS responses, which makes it possible to direct the user to a dummy host deployed by the attacker. In addition, you can still exploit vulnerabilities to traverse NAT on a router with open access to a compromised device on the local network. There is also the ability to bypass firewall restrictions. Some of the vulnerabilities make it possible to obtain data about traffic in the victim’s network, with its interception. True, only those that are transmitted in an open, unencrypted form.

Another video presented by Vanhoef shows the exploitation of a vulnerability in order to intercept a password that is transmitted over the HTTP protocol without encryption. In this case, the attacker gains the opportunity to analyze the traffic of the sites visited by the victim. Despite the fact that many resources use HTTPS, this threat is still relevant.

Smart devices are also targeted by hackers. Attacks from the FragAttack package allow you to hack a smart socket that is connected to a Wi-Fi network. After a successful hack, an attacker is able to compromise other devices on the local network – however, only those whose software or firmware vulnerabilities are not closed. The author, in particular, showed the possibility of hacking a Windows 7 PC on a local network.

To what extent are these vulnerabilities still relevant?

This is a good question, but there is no definite answer to it. The vulnerability information was sent to manufacturers about 9 months ago, after which changes to specifications and updates were prepared by vendors, as well as organizations such as ICASI and the Wi-Fi Alliance.

Among the tested were the following devices:

How did the author of the study know about all this?

A number of problems were identified during the research phase of the KRACK attack. Then several notes were made with the aim of understanding the future. The author of the study dealt closely with vulnerabilities in wireless devices and software three years later. As it turned out, the discovered problems are almost typical, although initially, he believed otherwise, considering that these vulnerabilities are not very common.