April 26, 2025
9
min read
Greg Haapaoja

Wireless Data Exfiltration Vulnerability

Editor
Greg Haapaoja
Category
Cybersecurity
Date
April 26, 2025
Share:
Twitter
Instagram
LinkedIn

On May 12, 2021, a newer vulnerability affecting most wireless-enabled devices was discovered and an advisory was issued by CIS (Center for Internet Security). The CVEs are listed below:

A vulnerability exists in the 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) that could allow an attacker to:

  • Inject arbitrary network packets (CVE-2020-24588)
  • Decrypt selected fragments when another device sends fragmented frames. (CVE-2020-24587)
  • Inject arbitrary network packets and/or exfiltrate user data. (CVE-2020-24586)

While this vulnerability was only discovered recently, it affects all wireless security protocols, meaning that any wireless device dating back to 1997 (the introduction of wireless devices and wireless security) are susceptible to attack.

Security updates were prepared during a 9-month-long coordinated disclosure, supervised by the Wi-Fi Alliance and ICASI, to ensure devices were able to receive updates to be protected from attacks targeting these vulnerabilities. If you have wi-fi enabled devices, ensure no devices are vulnerable to this attack by reviewing all wireless capable devices and verifying that they are updated. If updates for your devices are not yet available, some of these attacks may be mitigated by:

  • Ensuring HTTPS is used when visiting websites. This will mitigate sensitive data exfiltration techniques that an attacker can use
  • Manually configure your DNS server so that it cannot be poisoned.
  • Specific to Wi-Fi configurations: Disable fragmentation, disable pairwise rekeys, and disable dynamic fragmentation in Wi-Fi 6 devices.

One attack method allows an attacker to intercept and modify part of the header of the encrypted transported data. An attacker can abuse this by targeting the network a device is on and sending the user a specially crafted email. This email, when opened, would load an image that is hosted on the attacker’s server, which, instead of an image, sends a TCP packet to take over the connection as a rouge access point, even handling the DNS requests.

Another attack method, a fragmentation attack, utilizes partial packets (fragments) to craft malicious packets to then intercept and decrypt packets. This technique, while only possible in rare conditions, can also be used to exfiltrate selected client data.

OCD Tech can assist your organization by scanning your environment to determine if you have vulnerable devices, and can help you obtain the necessary updates or advise on alternative remediations. Please contact us for a consultation.

Listed below are other CVEs that were released as part of the previously mentioned vulnerability findings:

A vulnerability exists in Samsung Galaxy S3 i9305 4.4.4 (discontinued Samsung phone) devices that could allow an attacker to:

  • Inject arbitrary network packets independent of the network configuration. (CVE-2020-26145)
  • Inject arbitrary network packets independent of the network configuration. (CVE-2020-26144)
  • Exfiltrate selected fragments. (CVE-2020-26146)

A vulnerability exists in ALFA Windows 10 driver:

  • 6.1316.1209 for AWUS036H that could allow an attacker to inject arbitrary data frames independent of the network configuration. (CVE-2020-26140)
  • 6.1316.1209 for AWUS036H that could allow an attacker to inject and possibly decrypt packets. (CVE-2020-26141)
  • 1030.36.604 for AWUS036ACH that could allow an attacker to inject arbitrary data frames independent of the network configuration. (CVE-2020-26143)

A vulnerability exists in the kernel in NetBSD 7.1 that could allow an attacker to:

  • Launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients. (CVE-2020-26139)

A vulnerability exists in the Linux kernel 5.8.9 that could:

  • Allow an attacker to inject packets and/or exfiltrate selected fragments (CVE-2020-26147)

A vulnerability exists in the kernel in OpenBSD 6.6 that could:

  • Allow an attacker to inject arbitrary network packets, independent of the network configuration. (CVE-2020-26142)

Wi-Fi Alliance:

https://www.wi-fi.org/security-update-fragmentation

FragAttack:

https://www.fragattacks.com/#beingexploit

CVE:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24588

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24587

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24586

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26145

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26144

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26140

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26143

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26139

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26146

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26147

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26142

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26141

Audit. Security. Assurance.

IT Audit | Cybersecurity | IT Assurance | IT Security Consultants – OCD Tech is a technology consulting firm serving the IT security and consulting needs of businesses in Boston (MA), Braintree (MA) and across New England. We primarily serve Fortune 500 companies including auto dealers, financial institutions, higher education, government contractors, and not-for-profit organizations with SOC 2 reporting, CMMC readiness, IT Security Audits, Penetration Testing and Vulnerability Assessments. We also provide dark web monitoring, DFARS compliance, and IT general controls review.

Contact Info

OCD Tech

25 BHOP, Suite 407, Braintree MA, 02184

844-623-8324

https://ocd-tech.com

Follow Us

Videos

Check Out the Latest Videos From OCD Tech!

Services

SOC Reporting Services
SOC 2 ® Readiness Assessment
SOC 2 ®
SOC 3 ®
SOC for Cybersecurity ®
IT Advisory Services
IT Vulnerability Assessment
Penetration Testing
Privileged Access Management
Social Engineering
WISP
General IT Controls Review
IT Government Compliance Services
CMMC
DFARS Compliance
FTC Safeguards vCISO

Industries

Financial Services
Government
Enterprise
Auto Dealerships

Blog
Category

Wireless Data Exfiltration Vulnerability

By  
Greg Haapaoja
May 13, 2021
9
min read
Share this post

On May 12, 2021, a newer vulnerability affecting most wireless-enabled devices was discovered and an advisory was issued by CIS (Center for Internet Security). The CVEs are listed below:

A vulnerability exists in the 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) that could allow an attacker to:

  • Inject arbitrary network packets (CVE-2020-24588)
  • Decrypt selected fragments when another device sends fragmented frames. (CVE-2020-24587)
  • Inject arbitrary network packets and/or exfiltrate user data. (CVE-2020-24586)

While this vulnerability was only discovered recently, it affects all wireless security protocols, meaning that any wireless device dating back to 1997 (the introduction of wireless devices and wireless security) are susceptible to attack.

Security updates were prepared during a 9-month-long coordinated disclosure, supervised by the Wi-Fi Alliance and ICASI, to ensure devices were able to receive updates to be protected from attacks targeting these vulnerabilities. If you have wi-fi enabled devices, ensure no devices are vulnerable to this attack by reviewing all wireless capable devices and verifying that they are updated. If updates for your devices are not yet available, some of these attacks may be mitigated by:

  • Ensuring HTTPS is used when visiting websites. This will mitigate sensitive data exfiltration techniques that an attacker can use
  • Manually configure your DNS server so that it cannot be poisoned.
  • Specific to Wi-Fi configurations: Disable fragmentation, disable pairwise rekeys, and disable dynamic fragmentation in Wi-Fi 6 devices.

One attack method allows an attacker to intercept and modify part of the header of the encrypted transported data. An attacker can abuse this by targeting the network a device is on and sending the user a specially crafted email. This email, when opened, would load an image that is hosted on the attacker’s server, which, instead of an image, sends a TCP packet to take over the connection as a rouge access point, even handling the DNS requests.

Another attack method, a fragmentation attack, utilizes partial packets (fragments) to craft malicious packets to then intercept and decrypt packets. This technique, while only possible in rare conditions, can also be used to exfiltrate selected client data.

OCD Tech can assist your organization by scanning your environment to determine if you have vulnerable devices, and can help you obtain the necessary updates or advise on alternative remediations. Please contact us for a consultation.

Listed below are other CVEs that were released as part of the previously mentioned vulnerability findings:

A vulnerability exists in Samsung Galaxy S3 i9305 4.4.4 (discontinued Samsung phone) devices that could allow an attacker to:

  • Inject arbitrary network packets independent of the network configuration. (CVE-2020-26145)
  • Inject arbitrary network packets independent of the network configuration. (CVE-2020-26144)
  • Exfiltrate selected fragments. (CVE-2020-26146)

A vulnerability exists in ALFA Windows 10 driver:

  • 6.1316.1209 for AWUS036H that could allow an attacker to inject arbitrary data frames independent of the network configuration. (CVE-2020-26140)
  • 6.1316.1209 for AWUS036H that could allow an attacker to inject and possibly decrypt packets. (CVE-2020-26141)
  • 1030.36.604 for AWUS036ACH that could allow an attacker to inject arbitrary data frames independent of the network configuration. (CVE-2020-26143)

A vulnerability exists in the kernel in NetBSD 7.1 that could allow an attacker to:

  • Launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients. (CVE-2020-26139)

A vulnerability exists in the Linux kernel 5.8.9 that could:

  • Allow an attacker to inject packets and/or exfiltrate selected fragments (CVE-2020-26147)

A vulnerability exists in the kernel in OpenBSD 6.6 that could:

  • Allow an attacker to inject arbitrary network packets, independent of the network configuration. (CVE-2020-26142)

Wi-Fi Alliance:

https://www.wi-fi.org/security-update-fragmentation

FragAttack:

https://www.fragattacks.com/#beingexploit

CVE:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24588

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24587

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24586

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26145

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26144

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26140

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26143

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26139

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26146

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26147

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26142

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26141

Share this post
Greg Haapaoja

Similar articles

Cybersecurity

FTC Safeguards Rule for Car Dealerships

OCD Tech
April 24, 2025
3
min read
Cybersecurity

The Importance of ITGC Audits in Compliance

OCD Tech
April 21, 2025
6
min read
Cybersecurity

ISO 27001 vs SOC Standards: Which Should You Choose?

OCD Tech
April 11, 2025
1
min read
Cybersecurity

Common WiFi Hacking Techniques Explained

OCD Tech
April 2, 2025
6
min read
View all
Company
About UsBlog
About
Privacy policyCookies Settings
CONTACT US
25 Braintree Hill Office Park, Suite 407
Braintree MA, 02184info@ocd-tech.com844-623-8324
Copyright © 2025 OCD Tech