Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


// // //
01:00 PM
Amichai Shulman
Amichai Shulman
Connect Directly
E-Mail vvv

Why We Need to Raise the Red Flag Against FragAttacks

Proliferation of wireless devices increases the risk that corporate networks will be attacked with this newly discovered breed of Wi-Fi-based cyber assault.

A newly discovered breed of cyber assault is threatening corporate networks. Dubbed "FragAttacks" (Fragmentation and Aggregation Attacks) by Mathy Vanhoef, the researcher who discovered them, these security breaches are a subcategory of digital airborne attacks performed over Wi-Fi networks. Combined with wireless-enabled devices that can become an antenna for hackers, digital airborne attacks must raise the cybersecurity industry's red flag.

Related Content:

Cars, Medicine, Electric Grids: Future Hackers Will Hit Much More Than Networks in an IT/OT Integrated World

Special Report: Building the SOC of the Future

New From The Edge: 5 Mistakes That Impact a Security Team's Success

At a high level, FragAttacks exploit vulnerabilities in Wi-Fi design and implementation. The vulnerabilities, which relate to packet aggregation and frame fragmentation, allow attackers to intercept encrypted frames and manipulate them to include attacker-controlled commands that can invoke data exfiltration or device takeover. The vulnerabilities affect all versions of Wi-Fi security, from the original 1997 WEP through the latest WPA3 release.

While the FragAttacks vulnerabilities are rated medium risk, they are the perfect storm for infiltrating corporate networks without leaving a trace.

Here are four reasons we need to take FragAttacks more seriously.

1. FragAttacks Can Be Carried Out Remotely
A dangerous misconception is that a hacker must be in physical proximity to a target to launch an attack. FragAttacks can be carried out by hackers sitting in front of a computer, thousands of miles away from their target. This is because Wi-Fi-enabled devices, both those within the corporate control radius and those outside it, can be commandeered remotely as "antennae" for hackers. These antennae — a Wi-Fi-enabled printer, an Amazon Alexa, or a wireless security camera at a nearby store — can be exploited using readily available, software-based wireless attack tools, giving hackers a remotely accessible stepping-stone to carry out a FragAttack.

2. FragAttacks Can Bypass Network Security
Some of these vulnerabilities enable an attacker to communicate with a device behind the firewall — even if that device is connected to a wired network. An attacker can inject small Internet Protocol (IP) packets within the communication that, for example, mess with DNS configuration devices on the network. Other FragAttack vulnerabilities allow direct interaction with corporate Wi-Fi devices over the air. Hence, no existing network security solution — not firewalls, network access control, wireless encryption, or other technology — can detect and mitigate FragAttacks.

3. All Wireless Devices on Your Network Are Vulnerable
The number and nature of FragAttack vulnerabilities suggest that all devices can become compromised. As evidence, every device the researchers tested was vulnerable to at least some FragAttack-related threats. Software patches are being developed that might reduce the number of devices vulnerable to FragAttacks. However, not all devices can be patched. The number and diversity of vulnerable devices mean patching will not be a viable long-term solution. It is hard enough to implement device patches broadly, even with a single device type with a patch made by its vendor. But when numerous devices from multiple vendors are involved, any hope of full protection through device patching becomes uncertain.

4. FragAttacks Leave No Trace in Network Logs
As hard as FragAttacks are to prevent, they are equally difficult to track afterward.

The saying "what you don't know won't hurt you" is not true for cybersecurity attacks. Security professionals often talk about revealing attackers as quickly as possible and reducing dwell time. But existing security tools don't record 802.11 traffic — the only place FragAttacks might leave a trace — because of the assumption that anything related to forensic interests must be on the IP level or higher.

FragAttacks Are the Tip of the Iceberg
In early 2018, when Meltdown and Spectre were reported as the first chip architecture-related vulnerabilities, many considered them one-off events. Since then, the number of such vulnerabilities proves those predictions were wrong. The fact that some of the FragAttack-prone vulnerabilities have been in place since 1997 suggests that no one was looking for them. Now that Mathy Vanhoef has put a spotlight on the security shortcomings in standard Wi-Fi networks, other researchers (and, more critically, other hackers) are bound to follow suit, exposing even more vulnerabilities that increase the risk of digital airborne attacks.

Attacks that leverage wireless-enabled devices have widespread ramifications. FragAttacks are not the only attacks that can be launched remotely. For instance, a flaw recently revealed in the Apple Wireless Direct Link (AWDL) protocol allows a complete device takeover of any iPhone. Early reports offered a false sense of security, implying that a "total phone takeover" is possible only within the device's Wi-Fi range. In reality, as with FragAttacks, AWDL exploitation can happen with any wireless-enabled device that hackers can take over, even when they are thousands of miles away.

The corporate network airspace is completely exposed, and the increase in wireless antenna devices combined with these digital airborne attacks make corporate network airspace a huge, unprotected attack surface. Companies must actively monitor and control their corporate network airspace to prevent this new attack surface from becoming an entry point into the corporate network and disrupting the business.

Amichai is a cybersecurity researcher and entrepreneur. He carries more than 25 years of cybersecurity experience in military, government, and commercial environments. He co-founded Imperva and served as CTO for the company for more than 15 years, driving innovation and ... View Full Bio
Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file