What You Need to Know about FragAttacks
By The Telit Cinterion Team
June 15, 2021
A series of Wi-Fi security weaknesses have been discovered by Belgian security expert Mathy Vanhoef, involving faults and bugs that date back to 1997, when Wi-Fi was first released.
Fragmentation and aggregation attacks (FragAttacks) are a collection of security weaknesses that target Wi-Fi devices. FragAttacks enable malicious actors within Wi-Fi radio range to steal personal information or jeopardize machines, from computers to IoT-enabled smart devices. The scale of this threat is significant, with experiments revealing that all Wi-Fi products have at least one of these vulnerabilities, and most products are affected by several. Three vulnerabilities consist of design flaws in the Wi-Fi standard, and programming faults in Wi-Fi products cause many others.
FragAttacks exploit Wi-Fi flaws in two ways:
- The theft of sensitive data, such as usernames and passwords
- Attacking and taking over devices in a local or home network
All modern security protocols of Wi-Fi — including the latest WPA3 and even the original WEP Wi-Fi protocol — are affected. However, these flaws are difficult to exploit as it requires user interaction or unusual network settings to be in use. Wi-Fi product programming mistakes are the biggest concern, as they require little effort to abuse.
Since discovering these threats, the Wi-Fi Alliance has been working to make corrections to the standards and release device firmware patches. If your device doesn’t have updates available yet, you can protect against some attacks by ensuring the websites you access use HTTPS and that your devices have received all other updates.
Full technical details of these vulnerabilities are available on FragAttacks.
Video: “FragAttacks: Demonstration of Flaws in WPA2/3” by Mathy Vanhoef
The NIST announcements are in the form of CVEs, and you can search each of them here.
Please see the matrix below for details of the impact on Telit modules.
Vishal Batra
VP of SW Engineering
| CVE ID | Description | GS2000 Family | WE866C6 | WE310F5 | WL865E4-P |
|---|---|---|---|---|---|
| CVE-2020-24586 | Not clearing fragments from memory when (re)connecting to a network | Not affected when using WLAN version 5.8.1.3 and above | Not affected | Not affected | Not affected |
| CVE-2020-24587 | Reassembling fragments encrypted under different keys | Not affected | Not affected | Not affected | Not affected |
| CVE-2020-24588 | Accepting non-SPP A-MSDU frames | Not affected | Partially vulnerable when using version 8.1.1.2 and below | Not affected | Partially vulnerable when using version 36.07.002 and below |
| CVE-2020-26139 | Forwarding EAPOL frames even though the sender is not yet authenticated | Not affected | Partially vulnerable when using version 8.1.1.2 and below | Partially vulnerable when using version below 39.00.001 | Partially vulnerable when using version 36.07.002 and below |
| CVE-2020-26140 | Accepting plaintext data frames in a protected network | Not affected | Not affected | Vulnerable when using version below 39.00.001 | Vulnerable when using version 36.07.002 and below |
| CVE-2020-26142 | Processing fragmented frames as full frames | Not affected | Not affected | Not affected | Not affected |
| CVE-2020-26143 | Accepting fragmented plaintext data frames in a protected network | Not affected | Not affected | Not affected | Not affected |
| CVE-2020-26144 | Accepting plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrypted network) | Not affected | Not affected | Not affected | Not affected |
| CVE-2020-26145 | Accepting plaintext broadcast fragments as full frames (in an encrypted network) | Not affected | Vulnerable when using version 8.1.1.2 and below. | Partially vulnerable when using version 39.00.001 and below | Partially vulnerable when using version 36.07.002 and below |
| CVE-2020-26146 | Reassembling encrypted fragments with non-consecutive packet numbers | Not affected | Not affected | Not affected | Not affected |
| CVE-2020-26147 | Reassembling mixed encrypted/plaintext fragments | Not affected | Not affected | Not affected | Not affected |
The Telit WE866A1 uses the Texas Instruments (TI) chipset. Please see the statement released by TI here.
We’ll be monitoring the situation as it develops. Please see below for updates.
For any other details, please contact the Telit Security Team here by selecting “Security Questions.”
June 2021 Update
2 June 2021
Telit has repaired the FragAttack vulnerabilities in the WL865E4-P module. We have also verified that the legacy GS1011 product line is not vulnerable.
Please see the updated matrix below for details of the impact on Telit modules.
| CVE ID | Description | GS2000 Family | WE866C6 | WE310F5 | WL865E4-P |
|---|---|---|---|---|---|
| CVE-2020-24586 | Not clearing fragments from memory when (re)connecting to a network | Not affected when using WLAN version 5.8.1.3 and above | Not affected | Not affected | Not affected |
| CVE-2020-24587 | Reassembling fragments encrypted under different keys | Not affected | Not affected | Not affected | Not affected |
| CVE-2020-24588 | Accepting non-SPP A-MSDU frames | Not affected | Partially vulnerable when using version 8.1.1.2 and below | Not affected | Not affected when using version 36.07.003 and above |
| CVE-2020-26139 | Forwarding EAPOL frames even though the sender is not yet authenticated | Not affected | Partially vulnerable when using version 8.1.1.2 and below | Partially vulnerable when using version below 39.00.001 | Not affected when using version 36.07.003 and above |
| CVE-2020-26140 | Accepting plaintext data frames in a protected network | Not affected | Not affected | Vulnerable when using version below 39.00.001 | Not affected when using version 36.07.003 and above |
| CVE-2020-26142 | Processing fragmented frames as full frames | Not affected | Not affected | Not affected | Not affected |
| CVE-2020-26143 | Accepting fragmented plaintext data frames in a protected network | Not affected | Not affected | Not affected | Not affected |
| CVE-2020-26144 | Accepting plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrpyted network) | Not affected | Not affected | Not affected | Not affected |
| CVE-2020-26145 | Accepting plaintext broadcast fragments as full frames (in an encrypted network) | Not affected | Vulnerable when using version 8.1.1.2 and below | Partially vulnerable when using version 39.00.001 and below | Not affected when using version 36.07.003 and above |
| CVE-2020-26146 | Reassembling encrypted fragments with non-consecutive packet numbers | Not affected | Not affected | Not affected | Not affected |
| CVE-2020-26147 | Reassembling mixed encrypted/plaintext fragments | Not affected | Not affected | Not affected | Not affected |
15 June 2021
Telit has repaired the FragAttack vulnerabilities in the WE310F5 MP release 39.00.001.
Please see the updated matrix below for details of the impact on Telit modules.
| CVE ID | Description | GS2000 Family | WE866C6 | WE310F5 | WL865E4-P |
|---|---|---|---|---|---|
| CVE-2020-24586 | Not clearing fragments from memory when (re)connecting to a network | Not affected when using WLAN version 5.8.1.3 and above | Not affected | Not affected | Not affected |
| CVE-2020-24587 | Reassembling fragments encrypted under different keys | Not affected | Not affected | Not affected | Not affected |
| CVE-2020-24588 | Accepting non-SPP A-MSDU frames | Not affected | Partially vulnerable when using version 8.1.1.2 and below | Not affected | Not affected when using version 36.07.003 and above |
| CVE-2020-26139 | Forwarding EAPOL frames even though the sender is not yet authenticated | Not affected | Partially vulnerable when using version 8.1.1.2 and below | Not affected when using version 39.00.001 and above | Not affected when using version 36.07.003 and above |
| CVE-2020-26140 | Accepting plaintext data frames in a protected network | Not affected | Not affected | Not affected when using version 39.00.001 and above | Not affected when using version 36.07.003 and above |
| CVE-2020-26142 | Processing fragmented frames as full frames | Not affected | Not affected | Not affected | Not affected |
| CVE-2020-26143 | Accepting fragmented plaintext data frames in a protected network | Not affected | Not affected | Not affected | Not affected |
| CVE-2020-26144 | Accepting plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrpyted network) | Not affected | Not affected | Not affected | Not affected |
| CVE-2020-26145 | Accepting plaintext broadcast fragments as full frames (in an encrypted network) | Not affected | Vulnerable when using version 8.1.1.2 and below | Not affected when using version 39.00.001 and above | Not affected when using version 36.07.003 and above |
| CVE-2020-26146 | Reassembling encrypted fragments with non-consecutive packet numbers | Not affected | Not affected | Not affected | Not affected |
| CVE-2020-26147 | Reassembling mixed encrypted/plaintext fragments | Not affected | Not affected | Not affected | Not affected |
