This presentation introduces three novel security-related design flaws in Wi-Fi and various widespread implementation flaws. An adversary can abuse these to inject packets or exfiltrate selected frames. As an example, it will be demonstrated how packet injection can be used to punch a hole in the router's NAT so the adversary can connect to and exploit internal devices in the network (e.g. BlueKeep against Windows 7).
The first design flaw is present in Wi-Fi's frame aggregation feature where a flag in the Wi-Fi header is not properly protected. The other two design flaws are present in Wi-Fi's frame fragmentation feature where the receiver improperly verifies and manages fragments. Although these design flaws can be non-trivial to exploit, they affect all protected Wi-Fi networks. Some design flaws even affect the ancient WEP protocol meaning these flaws have been part of Wi-Fi since 1997.
In practice, the implementation vulnerabilities are the most concerning. Several are widespread and trivial to exploit. For example, some devices accept plaintext frames in a protected Wi-Fi network and others accept plaintext aggregated frames that resemble handshake messages. The resulting attacks will be demonstrated, such as turning an IoT power socket on and off, and a tool will be released that can be used to test Wi-Fi products against all the discovered vulnerabilities.