theDocumentId => 1341485 Why We Need to Raise the Red Flag Against FragAttacks

Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/13/2021
01:00 PM
Amichai Shulman
Amichai Shulman
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Why We Need to Raise the Red Flag Against FragAttacks

Proliferation of wireless devices increases the risk that corporate networks will be attacked with this newly discovered breed of Wi-Fi-based cyber assault.

A newly discovered breed of cyber assault is threatening corporate networks. Dubbed "FragAttacks" (Fragmentation and Aggregation Attacks) by Mathy Vanhoef, the researcher who discovered them, these security breaches are a subcategory of digital airborne attacks performed over Wi-Fi networks. Combined with wireless-enabled devices that can become an antenna for hackers, digital airborne attacks must raise the cybersecurity industry's red flag.

Related Content:

Cars, Medicine, Electric Grids: Future Hackers Will Hit Much More Than Networks in an IT/OT Integrated World

Special Report: Building the SOC of the Future

New From The Edge: 5 Mistakes That Impact a Security Team's Success

At a high level, FragAttacks exploit vulnerabilities in Wi-Fi design and implementation. The vulnerabilities, which relate to packet aggregation and frame fragmentation, allow attackers to intercept encrypted frames and manipulate them to include attacker-controlled commands that can invoke data exfiltration or device takeover. The vulnerabilities affect all versions of Wi-Fi security, from the original 1997 WEP through the latest WPA3 release.

While the FragAttacks vulnerabilities are rated medium risk, they are the perfect storm for infiltrating corporate networks without leaving a trace.

Here are four reasons we need to take FragAttacks more seriously.

1. FragAttacks Can Be Carried Out Remotely
A dangerous misconception is that a hacker must be in physical proximity to a target to launch an attack. FragAttacks can be carried out by hackers sitting in front of a computer, thousands of miles away from their target. This is because Wi-Fi-enabled devices, both those within the corporate control radius and those outside it, can be commandeered remotely as "antennae" for hackers. These antennae — a Wi-Fi-enabled printer, an Amazon Alexa, or a wireless security camera at a nearby store — can be exploited using readily available, software-based wireless attack tools, giving hackers a remotely accessible stepping-stone to carry out a FragAttack.

2. FragAttacks Can Bypass Network Security
Some of these vulnerabilities enable an attacker to communicate with a device behind the firewall — even if that device is connected to a wired network. An attacker can inject small Internet Protocol (IP) packets within the communication that, for example, mess with DNS configuration devices on the network. Other FragAttack vulnerabilities allow direct interaction with corporate Wi-Fi devices over the air. Hence, no existing network security solution — not firewalls, network access control, wireless encryption, or other technology — can detect and mitigate FragAttacks.

3. All Wireless Devices on Your Network Are Vulnerable
The number and nature of FragAttack vulnerabilities suggest that all devices can become compromised. As evidence, every device the researchers tested was vulnerable to at least some FragAttack-related threats. Software patches are being developed that might reduce the number of devices vulnerable to FragAttacks. However, not all devices can be patched. The number and diversity of vulnerable devices mean patching will not be a viable long-term solution. It is hard enough to implement device patches broadly, even with a single device type with a patch made by its vendor. But when numerous devices from multiple vendors are involved, any hope of full protection through device patching becomes uncertain.

4. FragAttacks Leave No Trace in Network Logs
As hard as FragAttacks are to prevent, they are equally difficult to track afterward.

The saying "what you don't know won't hurt you" is not true for cybersecurity attacks. Security professionals often talk about revealing attackers as quickly as possible and reducing dwell time. But existing security tools don't record 802.11 traffic — the only place FragAttacks might leave a trace — because of the assumption that anything related to forensic interests must be on the IP level or higher.

FragAttacks Are the Tip of the Iceberg
In early 2018, when Meltdown and Spectre were reported as the first chip architecture-related vulnerabilities, many considered them one-off events. Since then, the number of such vulnerabilities proves those predictions were wrong. The fact that some of the FragAttack-prone vulnerabilities have been in place since 1997 suggests that no one was looking for them. Now that Mathy Vanhoef has put a spotlight on the security shortcomings in standard Wi-Fi networks, other researchers (and, more critically, other hackers) are bound to follow suit, exposing even more vulnerabilities that increase the risk of digital airborne attacks.

Attacks that leverage wireless-enabled devices have widespread ramifications. FragAttacks are not the only attacks that can be launched remotely. For instance, a flaw recently revealed in the Apple Wireless Direct Link (AWDL) protocol allows a complete device takeover of any iPhone. Early reports offered a false sense of security, implying that a "total phone takeover" is possible only within the device's Wi-Fi range. In reality, as with FragAttacks, AWDL exploitation can happen with any wireless-enabled device that hackers can take over, even when they are thousands of miles away.

The corporate network airspace is completely exposed, and the increase in wireless antenna devices combined with these digital airborne attacks make corporate network airspace a huge, unprotected attack surface. Companies must actively monitor and control their corporate network airspace to prevent this new attack surface from becoming an entry point into the corporate network and disrupting the business.

Amichai is a cybersecurity researcher and entrepreneur. He carries more than 25 years of cybersecurity experience in military, government, and commercial environments. He co-founded Imperva and served as CTO for the company for more than 15 years, driving innovation and ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32794
PUBLISHED: 2021-07-26
ArchiSteamFarm is a C# application with primary purpose of idling Steam cards from multiple accounts simultaneously. Due to a bug in ASF code `POST /Api/ASF` ASF API endpoint responsible for updating global ASF config incorrectly removed `IPCPassword` from the resulting config when the caller did no...
CVE-2021-36563
PUBLISHED: 2021-07-26
The CheckMK management web console (versions 1.5.0 to 2.0.0) does not sanitise user input in various parameters of the WATO module. This allows an attacker to open a backdoor on the device with HTML content and interpreted by the browser (such as JavaScript or other client-side scripts), the XSS pay...
CVE-2021-37392
PUBLISHED: 2021-07-26
In RPCMS v1.8 and below, the "nickname" variable is not properly sanitized before being displayed on page. When the API functions are enabled, the attacker can use API to update user nickname with XSS payload and achieve stored XSS. Users who view the articles published by the injected use...
CVE-2021-37393
PUBLISHED: 2021-07-26
In RPCMS v1.8 and below, the "nickname" variable is not properly sanitized before being displayed on page. Attacker can use "update password" function to inject XSS payloads into nickname variable, and achieve stored XSS. Users who view the articles published by the injected user...
CVE-2021-37394
PUBLISHED: 2021-07-26
In RPCMS v1.8 and below, attackers can interact with API and change variable "role" to "admin" to achieve admin user registration.