FragAttacks are a group of security vulnerabilities that can be used to attack Wi-Fi devices. Every Wi-Fi device ever created appears vulnerable, making it possible for attackers to steal sensitive data or attack devices on your network. Here’s what you need to know.
What Are FragAttacks?
Disclosed on May 12, 2021, FragAttacks stands for “fragmentation and aggregation attacks.” These are a collection of security vulnerabilities announced together. Three of them are design flaws with Wi-Fi itself and affect most devices that use Wi-Fi.
Additionally, the researchers found programming mistakes in many Wi-Fi products. These are even easier for attackers to abuse than the design flaws in Wi-Fi itself.
The collection of vulnerabilities called FragAttacks were discovered by Mathy Vanhoef, the same security researcher who previously discovered KRACK, an attack on the WPA2 encryption protocol used to secure Wi-Fi networks.
Which Devices Are Vulnerable to FragAttacks?
According to the researchers, every Wi-Fi device ever created appears vulnerable to at least one of the FragAttacks vulnerabilities. In other words, every Wi-Fi device going back to Wi-Fi’s first release in 1997 is likely vulnerable.
That’s the bad news. The good news is that this vulnerability was discovered nine months before it was revealed to the public. In that time, many companies have already released security patches that protect their devices from FragAttacks. For example, Microsoft updated Windows with protection against FragAttacks in the update released on March 9, 2021.
What Can an Attacker Do With FragAttacks?
An attacker can do one of two things with FragAttacks. First, in the right situation, FragAttacks can be used to steal data from a Wi-Fi network that should be encrypted and protected against such an attack. (Websites and applications that use HTTPS or another type of secure encryption are protected against such an attack. But, if you’re sending unencrypted data over an encrypted Wi-Fi connection, a FragAttack could be used to bypass the Wi-Fi encryption.)
This highlights the importance of securing data being sent over a network with encryption—even if that data is just being sent between two devices on your local network. It’s also another example of why using HTTPS everywhere is so important for the future of the web. Browsers are slowly shifting away from HTTP and to HTTPS for good reason.
Second, the researchers say that the main concern is that FragAttacks could be used to launch attacks against vulnerable devices on a Wi-Fi network. Unfortunately, many smart home and IoT devices—especially those created by strange fly-by-night brands that don’t provide long-term support for their devices—do not regularly receive updates. A cheap, inexpensive smart plug or smart light bulb from an unknown brand may be easy to attack. In theory, this “shouldn’t matter” because that device is on a trusted home network—but FragAttacks offer a way to bypass the Wi-Fi network’s protection and attack a device directly, just as if the attacker were connected to the same Wi-Fi network as the device.
It’s more confirmation of the importance of security updates: The devices you choose to use should be from reputable manufacturers that provide security updates and long-term support for their hardware. This even applies to cheap Wi-Fi-enabled smart plugs. Secure your smart home.
What’s the Actual Risk?
First of all, as an attack against Wi-Fi, an attacker would have to be in the radio range of your network—in other words, in your physical vicinity—to execute an attack that used FragAttacks.
In other words, if you’re in an apartment or a dense urban area, there are more people nearby and you’re at a somewhat higher risk. If you live somewhere without other people around, you’re very unlikely to be attacked.
Corporate networks and those of other institutions that might be high-value targets are clearly more at risk than an average home network, too.
As of the disclosure of these flaws in May 2021, the researchers said there was no evidence any of these flaws are being exploited in the wild. So far, they appear to just be theoretical problems—but the public disclosure increases the risk that people will use them to attack networks in the real world.
So FragAttacks are a problem, but remember, this isn’t a “wormable” attack that can spread like wildfire over the internet—an attacker would have to be near you and target your network to attack your smart home devices or try to capture sensitive data. It’s very important that this flaw is disclosed and that device manufacturers issue software patches for existing devices and ensure future devices are protected, of course. And there are some things you can do to protect yourself.
How Do You Protect Yourself?
Thankfully, standard best practices for keeping your devices and network safe will also help protect you against FragAttacks. Here are the top three tips:
First, ensure the devices you’re using are getting security updates. If you’re still using a Windows 7 PC or an old version of macOS that isn’t getting updates, it’s time to upgrade. If your router is getting long in the tooth and your manufacturer never plans on updating it again, it’s time for a new router. If you have smart plugs or other old devices that aren’t getting firmware updates and likely have security flaws, you should replace them with something new.
Second, install those security updates. Modern devices will generally automatically install updates for you. However, on some devices—like routers—you have still have to click an option or tap a button to agree to install that update.
Third, use secure encryption. When signing in online, make sure you’re on an HTTPS site. Try to use HTTPS whenever possible—a browser extension like HTTPS Everywhere can help, but it’s much less necessary now that most websites you visit likely automatically use HTTPS if it’s available. Firefox can even be configured to warn you before loading websites that aren’t encrypted with HTTPS. Also, try using secure encryption everywhere: Even if you’re just transferring files between devices on your local network, use an application that offers encryption to secure that transfer. This will protect you from FragAttacks and other potential future flaws that could bypass your Wi-Fi encryption to spy on you.
Of course, a VPN can route all your traffic through an encrypted connection, so it gives you extra protection against FragAttacks if you have to access an HTTP website (or another unencrypted service) and you’re concerned about the network you’re currently using.
So that’s it: Use devices that are getting updates, install security updates, and use encryption when connecting to websites and transferring data. Thankfully, FragAttacks aren’t yet being used in the wild.
Of course, people who handle security for corporate IT departments will have a huge job ahead of them in ensuring their infrastructure isn’t vulnerable to these flaws.
For more technical information about FragAttacks, consult the official FragAttacks disclosure website.