Why We Need to Raise the Red Flag Against FragAttacks

Proliferation of wireless devices increases the risk that corporate networks will be attacked with this newly discovered breed of Wi-Fi-based cyber assault.

Amichai Shulman, CTO and Co-founder of AirEye

July 13, 2021

4 Min Read

A newly discovered breed of cyber assault is threatening corporate networks. Dubbed "FragAttacks" (Fragmentation and Aggregation Attacks) by Mathy Vanhoef, the researcher who discovered them, these security breaches are a subcategory of digital airborne attacks performed over Wi-Fi networks. Combined with wireless-enabled devices that can become an antenna for hackers, digital airborne attacks must raise the cybersecurity industry's red flag.

At a high level, FragAttacks exploit vulnerabilities in Wi-Fi design and implementation. The vulnerabilities, which relate to packet aggregation and frame fragmentation, allow attackers to intercept encrypted frames and manipulate them to include attacker-controlled commands that can invoke data exfiltration or device takeover. The vulnerabilities affect all versions of Wi-Fi security, from the original 1997 WEP through the latest WPA3 release.

While the FragAttacks vulnerabilities are rated medium risk, they are the perfect storm for infiltrating corporate networks without leaving a trace.

Here are four reasons we need to take FragAttacks more seriously.

1. FragAttacks Can Be Carried Out Remotely

A dangerous misconception is that a hacker must be in physical proximity to a target to launch an attack. FragAttacks can be carried out by hackers sitting in front of a computer, thousands of miles away from their target. This is because Wi-Fi-enabled devices, both those within the corporate control radius and those outside it, can be commandeered remotely as "antennae" for hackers. These antennae — a Wi-Fi-enabled printer, an Amazon Alexa, or a wireless security camera at a nearby store — can be exploited using readily available, software-based wireless attack tools, giving hackers a remotely accessible stepping-stone to carry out a FragAttack.

2. FragAttacks Can Bypass Network Security

Some of these vulnerabilities enable an attacker to communicate with a device behind the firewall — even if that device is connected to a wired network. An attacker can inject small Internet Protocol (IP) packets within the communication that, for example, mess with DNS configuration devices on the network. Other FragAttack vulnerabilities allow direct interaction with corporate Wi-Fi devices over the air. Hence, no existing network security solution — not firewalls, network access control, wireless encryption, or other technology — can detect and mitigate FragAttacks.

3. All Wireless Devices on Your Network Are Vulnerable

The number and nature of FragAttack vulnerabilities suggest that all devices can become compromised. As evidence, every device the researchers tested was vulnerable to at least some FragAttack-related threats. Software patches are being developed that might reduce the number of devices vulnerable to FragAttacks. However, not all devices can be patched. The number and diversity of vulnerable devices mean patching will not be a viable long-term solution. It is hard enough to implement device patches broadly, even with a single device type with a patch made by its vendor. But when numerous devices from multiple vendors are involved, any hope of full protection through device patching becomes uncertain.

4. FragAttacks Leave No Trace in Network Logs

As hard as FragAttacks are to prevent, they are equally difficult to track afterward.

The saying "what you don't know won't hurt you" is not true for cybersecurity attacks. Security professionals often talk about revealing attackers as quickly as possible and reducing dwell time. But existing security tools don't record 802.11 traffic — the only place FragAttacks might leave a trace — because of the assumption that anything related to forensic interests must be on the IP level or higher.

FragAttacks Are the Tip of the Iceberg

In early 2018, when Meltdown and Spectre were reported as the first chip architecture-related vulnerabilities, many considered them one-off events. Since then, the number of such vulnerabilities proves those predictions were wrong. The fact that some of the FragAttack-prone vulnerabilities have been in place since 1997 suggests that no one was looking for them. Now that Mathy Vanhoef has put a spotlight on the security shortcomings in standard Wi-Fi networks, other researchers (and, more critically, other hackers) are bound to follow suit, exposing even more vulnerabilities that increase the risk of digital airborne attacks.

Attacks that leverage wireless-enabled devices have widespread ramifications. FragAttacks are not the only attacks that can be launched remotely. For instance, a flaw recently revealed in the Apple Wireless Direct Link (AWDL) protocol allows a complete device takeover of any iPhone. Early reports offered a false sense of security, implying that a "total phone takeover" is possible only within the device's Wi-Fi range. In reality, as with FragAttacks, AWDL exploitation can happen with any wireless-enabled device that hackers can take over, even when they are thousands of miles away.

The corporate network airspace is completely exposed, and the increase in wireless antenna devices combined with these digital airborne attacks make corporate network airspace a huge, unprotected attack surface. Companies must actively monitor and control their corporate network airspace to prevent this new attack surface from becoming an entry point into the corporate network and disrupting the business.

About the Author(s)

Amichai Shulman

CTO and Co-founder of AirEye

Amichai is a cybersecurity researcher and entrepreneur. He carries more than 25 years of cybersecurity experience in military, government, and commercial environments. He co-founded Imperva and served as CTO for the company for more than 15 years, driving innovation and thought leadership. Amichai holds 45 issued patents in the field of data and application security, covering methods for protecting Web applications, detecting attacks against databases, and deploying advanced deception mechanisms.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights