Share:

A series of Wi-Fi security weaknesses have been discovered by Belgian security expert Mathy Vanhoef, involving faults and bugs that date back to 1997, when Wi-Fi was first released.

Fragmentation and aggregation attacks (FragAttacks) are a collection of security weaknesses that target Wi-Fi devices. FragAttacks enable malicious actors within Wi-Fi radio range to steal personal information or jeopardize machines, from computers to IoT-enabled smart devices. The scale of this threat is significant, with experiments revealing that all Wi-Fi products have at least one of these vulnerabilities, and most products are affected by several. Three vulnerabilities consist of design flaws in the Wi-Fi standard, and programming faults in Wi-Fi products cause many others.

FragAttacks exploit Wi-Fi flaws in two ways:

  • The theft of sensitive data, such as usernames and passwords
  • Attacking and taking over devices in a local or home network

All modern security protocols of Wi-Fi — including the latest WPA3 and even the original WEP Wi-Fi protocol — are affected. However, these flaws are difficult to exploit as it requires user interaction or unusual network settings to be in use. Wi-Fi product programming mistakes are the biggest concern, as they require little effort to abuse.

Since discovering these threats, the Wi-Fi Alliance has been working to make corrections to the standards and release device firmware patches. If your device doesn’t have updates available yet, you can protect against some attacks by ensuring the websites you access use HTTPS and that your devices have received all other updates.

Full technical details of these vulnerabilities are available on FragAttacks.

Video: "FragAttacks: Demonstration of Flaws in WPA2/3" by Mathy Vanhoef

 

The NIST announcements are in the form of CVEs, and you can search each of them here.

Please see the matrix below for details of the impact on Telit modules. 

Mihai Voicu

Dr. Mihai Voicu

VP IoT Services R&D and Security Technologies
VishalBatra

Vishal Batra

VP of SW Engineering
CVE ID Description GS2000 Family WE866C6 WE310F5 WL865E4-P
CVE-2020-24586 Not clearing fragments from memory when (re)connecting to a network Not affected when using WLAN version 5.8.1.3 and above Not affected Not affected Not affected
CVE-2020-24587 Reassembling fragments encrypted under different keys Not affected Not affected Not affected Not affected
CVE-2020-24588 Accepting non-SPP A-MSDU frames Not affected Partially vulnerable when using version 8.1.1.2 and below Not affected Partially vulnerable when using version 36.07.002 and below
CVE-2020-26139 Forwarding EAPOL frames even though the sender is not yet authenticated Not affected Partially vulnerable when using version 8.1.1.2 and below Partially vulnerable when using version below 39.00.001 Partially vulnerable when using version 36.07.002 and below
CVE-2020-26140 Accepting plaintext data frames in a protected network Not affected Not affected Vulnerable when using version below 39.00.001 Vulnerable when using version 36.07.002 and below
CVE-2020-26142 Processing fragmented frames as full frames Not affected Not affected Not affected Not affected
CVE-2020-26143 Accepting fragmented plaintext data frames in a protected network Not affected Not affected Not affected Not affected
CVE-2020-26144 Accepting plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrypted network) Not affected Not affected Not affected Not affected
CVE-2020-26145 Accepting plaintext broadcast fragments as full frames (in an encrypted network) Not affected Vulnerable when using version 8.1.1.2 and below. Partially vulnerable when using version 39.00.001 and below Partially vulnerable when using version 36.07.002 and below
CVE-2020-26146 Reassembling encrypted fragments with non-consecutive packet numbers Not affected Not affected Not affected Not affected
CVE-2020-26147 Reassembling mixed encrypted/plaintext fragments Not affected Not affected Not affected Not affected

The Telit WE866A1 uses the Texas Instruments (TI) chipset. Please see the statement released by TI here.

We’ll be monitoring the situation as it develops. Please see below for updates.

For any other details, please contact the Telit Security Team by using the following link:
https://www.telit.com/contact-us and select “Security” under “I Am Writing About.”

June 2021 Update

2 June 2021

Telit has repaired the FragAttack vulnerabilities in the WL865E4-P module. We have also verified that the legacy GS1011 product line is not vulnerable.

Please see the updated matrix below for details of the impact on Telit modules. 

CVE ID Description GS2000 Family WE866C6 WE310F5 WL865E4-P
CVE-2020-24586 Not clearing fragments from memory when (re)connecting to a network Not affected when using WLAN version 5.8.1.3 and above Not affected Not affected Not affected
CVE-2020-24587 Reassembling fragments encrypted under different keys Not affected Not affected Not affected Not affected
CVE-2020-24588 Accepting non-SPP A-MSDU frames Not affected Partially vulnerable when using version 8.1.1.2 and below Not affected Not affected when using version 36.07.003 and above
CVE-2020-26139 Forwarding EAPOL frames even though the sender is not yet authenticated Not affected Partially vulnerable when using version 8.1.1.2 and below Partially vulnerable when using version below 39.00.001 Not affected when using version 36.07.003 and above
CVE-2020-26140 Accepting plaintext data frames in a protected network Not affected Not affected Vulnerable when using version below 39.00.001 Not affected when using version 36.07.003 and above
CVE-2020-26142 Processing fragmented frames as full frames Not affected Not affected Not affected Not affected
CVE-2020-26143 Accepting fragmented plaintext data frames in a protected network Not affected Not affected Not affected Not affected
CVE-2020-26144 Accepting plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrpyted network) Not affected Not affected Not affected Not affected
CVE-2020-26145 Accepting plaintext broadcast fragments as full frames (in an encrypted network) Not affected Vulnerable when using version 8.1.1.2 and below Partially vulnerable when using version 39.00.001 and below Not affected when using version 36.07.003 and above
CVE-2020-26146 Reassembling encrypted fragments with non-consecutive packet numbers Not affected Not affected Not affected Not affected
CVE-2020-26147 Reassembling mixed encrypted/plaintext fragments Not affected Not affected Not affected Not affected

15 June 2021

Telit has repaired the FragAttack vulnerabilities in the WE310F5 MP release 39.00.001.

Please see the updated matrix below for details of the impact on Telit modules.

CVE ID Description GS2000 Family WE866C6 WE310F5 WL865E4-P
CVE-2020-24586 Not clearing fragments from memory when (re)connecting to a network Not affected when using WLAN version 5.8.1.3 and above Not affected Not affected Not affected
CVE-2020-24587 Reassembling fragments encrypted under different keys Not affected Not affected Not affected Not affected
CVE-2020-24588 Accepting non-SPP A-MSDU frames Not affected Partially vulnerable when using version 8.1.1.2 and below Not affected Not affected when using version 36.07.003 and above
CVE-2020-26139 Forwarding EAPOL frames even though the sender is not yet authenticated Not affected Partially vulnerable when using version 8.1.1.2 and below Not affected when using version 39.00.001 and above Not affected when using version 36.07.003 and above
CVE-2020-26140 Accepting plaintext data frames in a protected network Not affected Not affected Not affected when using version 39.00.001 and above Not affected when using version 36.07.003 and above
CVE-2020-26142 Processing fragmented frames as full frames Not affected Not affected Not affected Not affected
CVE-2020-26143 Accepting fragmented plaintext data frames in a protected network Not affected Not affected Not affected Not affected
CVE-2020-26144 Accepting plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrpyted network) Not affected Not affected Not affected Not affected
CVE-2020-26145 Accepting plaintext broadcast fragments as full frames (in an encrypted network) Not affected Vulnerable when using version 8.1.1.2 and below Not affected when using version 39.00.001 and above Not affected when using version 36.07.003 and above
CVE-2020-26146 Reassembling encrypted fragments with non-consecutive packet numbers Not affected Not affected Not affected Not affected
CVE-2020-26147 Reassembling mixed encrypted/plaintext fragments Not affected Not affected Not affected Not affected