From 8b48cf302c8b14e59458ee84c8d3c55d81c130ad Mon Sep 17 00:00:00 2001 From: Mathy Vanhoef Date: Tue, 11 Aug 2020 16:23:54 +0400 Subject: [PATCH] fragattacks: tweaks to README and SUMMARY --- research/README.md | 5 +++-- research/SUMMARY.md | 4 ++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/research/README.md b/research/README.md index 658a0e764..8ae7892e9 100644 --- a/research/README.md +++ b/research/README.md @@ -2,8 +2,9 @@ # 1. Introduction -The discovered vulnerabilities affect all Wi-Fi networks. The resulting attacks are identical against WPA2 and WPA3 -because their CCMP and GCMP encryption ciphers are identical. +The discovered vulnerabilities affect all Wi-Fi networks. A short summary of all vulnerabilities can be +found [here](SUMMARY.md), although we also recommend reading the [paper](fragattacks.pdf). The resulting +attacks are identical against WPA2 and WPA3 because their CCMP and GCMP encryption ciphers are identical. Older WPA networks by default use TKIP for encryption, and the applicability of the attacks against this cipher are discussed in the paper. To illustrate that Wi-Fi has been vulnerable since its creation, diff --git a/research/SUMMARY.md b/research/SUMMARY.md index 28495a447..0df73f638 100644 --- a/research/SUMMARY.md +++ b/research/SUMMARY.md @@ -26,9 +26,9 @@ This document contains a summary of the discovered vulnerabilities. Every bullet - **Accepting plaintext data frames when connected to an encrypted network**: Vulnerable implementations accept plaintext (fragmented) frames when connected to an encrypted network. An adversary can abuse this to inject arbitrary packets independent of the network configuration. -- **Forwarding EAPOL frames even though the sender is not yet authenticated**: Vulnerable APs will forward EAPOL frames to other clients even though the sender has not yet authenticated. Although on its own this cannot be abused to attack the AP, it facilitates attacks against connected clients. +- **Forwarding EAPOL frames even though the sender is not yet authenticated**: Vulnerable APs will forward EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. On its own this cannot be abused to attack the AP, but it does make it easier to exploit certain vulnerabilities in connected clients. -- **Not verifying the TKIP MIC of (fragmented) frames**: Vulnerable implementations do not verify the Message Integrity Check, i.e., authenticity, of (fragmented) TKIP frames. An adversary can abuse this to inject and possibly decrypt packets. +- **Not verifying the TKIP MIC of (fragmented) frames**: Vulnerable implementations do not verify the Message Integrity Check, i.e., authenticity, of (fragmented) TKIP frames. An adversary can abuse this to inject and possibly decrypt packets. - **Processing fragmented frames as full frames**: Vulnerable implementations treat fragmented frames as full frames. An adversary can abuse this to inject arbitrary packets, independent of the network configuration.