Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


// // //
01:00 PM
Amichai Shulman
Amichai Shulman
Connect Directly
E-Mail vvv

Why We Need to Raise the Red Flag Against FragAttacks

Proliferation of wireless devices increases the risk that corporate networks will be attacked with this newly discovered breed of Wi-Fi-based cyber assault.

A newly discovered breed of cyber assault is threatening corporate networks. Dubbed "FragAttacks" (Fragmentation and Aggregation Attacks) by Mathy Vanhoef, the researcher who discovered them, these security breaches are a subcategory of digital airborne attacks performed over Wi-Fi networks. Combined with wireless-enabled devices that can become an antenna for hackers, digital airborne attacks must raise the cybersecurity industry's red flag.

Related Content:

Cars, Medicine, Electric Grids: Future Hackers Will Hit Much More Than Networks in an IT/OT Integrated World

Special Report: Building the SOC of the Future

New From The Edge: 5 Mistakes That Impact a Security Team's Success

At a high level, FragAttacks exploit vulnerabilities in Wi-Fi design and implementation. The vulnerabilities, which relate to packet aggregation and frame fragmentation, allow attackers to intercept encrypted frames and manipulate them to include attacker-controlled commands that can invoke data exfiltration or device takeover. The vulnerabilities affect all versions of Wi-Fi security, from the original 1997 WEP through the latest WPA3 release.

While the FragAttacks vulnerabilities are rated medium risk, they are the perfect storm for infiltrating corporate networks without leaving a trace.

Here are four reasons we need to take FragAttacks more seriously.

1. FragAttacks Can Be Carried Out Remotely
A dangerous misconception is that a hacker must be in physical proximity to a target to launch an attack. FragAttacks can be carried out by hackers sitting in front of a computer, thousands of miles away from their target. This is because Wi-Fi-enabled devices, both those within the corporate control radius and those outside it, can be commandeered remotely as "antennae" for hackers. These antennae — a Wi-Fi-enabled printer, an Amazon Alexa, or a wireless security camera at a nearby store — can be exploited using readily available, software-based wireless attack tools, giving hackers a remotely accessible stepping-stone to carry out a FragAttack.

2. FragAttacks Can Bypass Network Security
Some of these vulnerabilities enable an attacker to communicate with a device behind the firewall — even if that device is connected to a wired network. An attacker can inject small Internet Protocol (IP) packets within the communication that, for example, mess with DNS configuration devices on the network. Other FragAttack vulnerabilities allow direct interaction with corporate Wi-Fi devices over the air. Hence, no existing network security solution — not firewalls, network access control, wireless encryption, or other technology — can detect and mitigate FragAttacks.

3. All Wireless Devices on Your Network Are Vulnerable
The number and nature of FragAttack vulnerabilities suggest that all devices can become compromised. As evidence, every device the researchers tested was vulnerable to at least some FragAttack-related threats. Software patches are being developed that might reduce the number of devices vulnerable to FragAttacks. However, not all devices can be patched. The number and diversity of vulnerable devices mean patching will not be a viable long-term solution. It is hard enough to implement device patches broadly, even with a single device type with a patch made by its vendor. But when numerous devices from multiple vendors are involved, any hope of full protection through device patching becomes uncertain.

4. FragAttacks Leave No Trace in Network Logs
As hard as FragAttacks are to prevent, they are equally difficult to track afterward.

The saying "what you don't know won't hurt you" is not true for cybersecurity attacks. Security professionals often talk about revealing attackers as quickly as possible and reducing dwell time. But existing security tools don't record 802.11 traffic — the only place FragAttacks might leave a trace — because of the assumption that anything related to forensic interests must be on the IP level or higher.

FragAttacks Are the Tip of the Iceberg
In early 2018, when Meltdown and Spectre were reported as the first chip architecture-related vulnerabilities, many considered them one-off events. Since then, the number of such vulnerabilities proves those predictions were wrong. The fact that some of the FragAttack-prone vulnerabilities have been in place since 1997 suggests that no one was looking for them. Now that Mathy Vanhoef has put a spotlight on the security shortcomings in standard Wi-Fi networks, other researchers (and, more critically, other hackers) are bound to follow suit, exposing even more vulnerabilities that increase the risk of digital airborne attacks.

Attacks that leverage wireless-enabled devices have widespread ramifications. FragAttacks are not the only attacks that can be launched remotely. For instance, a flaw recently revealed in the Apple Wireless Direct Link (AWDL) protocol allows a complete device takeover of any iPhone. Early reports offered a false sense of security, implying that a "total phone takeover" is possible only within the device's Wi-Fi range. In reality, as with FragAttacks, AWDL exploitation can happen with any wireless-enabled device that hackers can take over, even when they are thousands of miles away.

The corporate network airspace is completely exposed, and the increase in wireless antenna devices combined with these digital airborne attacks make corporate network airspace a huge, unprotected attack surface. Companies must actively monitor and control their corporate network airspace to prevent this new attack surface from becoming an entry point into the corporate network and disrupting the business.

Amichai is a cybersecurity researcher and entrepreneur. He carries more than 25 years of cybersecurity experience in military, government, and commercial environments. He co-founded Imperva and served as CTO for the company for more than 15 years, driving innovation and ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The Promise and Reality of Cloud Security
Cloud security has been part of the cybersecurity conversation for years but has been on the sidelines for most enterprises. The shift to remote work during the COVID-19 pandemic and digital transformation projects have moved cloud infrastructure front-and-center as enterprises address the associated security risks. This report - a compilation of cutting-edge Black Hat research, in-depth Omdia analysis, and comprehensive Dark Reading reporting - explores how cloud security is rapidly evolving.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-01-29
loadAsync in JSZip before 3.8.0 allows Directory Traversal via a crafted ZIP archive.
PUBLISHED: 2023-01-29
Weak Password Requirements in GitHub repository froxlor/froxlor prior to 2.0.10.
PUBLISHED: 2023-01-28
A vulnerability has been found in NYUCCL psiTurk up to 3.2.0 and classified as critical. This vulnerability affects unknown code of the file psiturk/experiment.py. The manipulation of the argument mode leads to improper neutralization of special elements used in a template engine. The exploit has be...
PUBLISHED: 2023-01-28
A vulnerability was found in PHPGurukul Bank Locker Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file index.php of the component Login. The manipulation of the argument username leads to sql injection. The attack may be launched re...
PUBLISHED: 2023-01-28
A vulnerability classified as problematic has been found in PHPGurukul Bank Locker Management System 1.0. This affects an unknown part of the file add-locker-form.php of the component Assign Locker. The manipulation of the argument ahname leads to cross site scripting. It is possible to initiate the...