Mathy Vanhoef, a well respected Wi-Fi security researcher, has identified a dozen vulnerabilities in the 802.11 protocol called FragAttacks.
FragAttacks is short for Fragmentation and Aggregation Attacks. It’s based upon how wireless frames are received and reassembled on a device or access point (AP). Unfortunately, this vulnerability has been present since Wi-Fi existed and nearly all wireless devices are vulnerable to FragAttacks. All security methods are impacted, from WEP to WPA3.
FragAttacks exploits the way 802.11 stations receive, store and process frames that are transmitted using the 802.11 protocol.
The frame fragmentation and aggregation functionality vulnerability could allow an attacker to forge encrypted frames to exfiltrate sensitive data from a targeted device.
Additionally, a victim could be exploited to inject additional data at the right time, such as performing packet injection of a malicious DNS server towards the client.
It’s important to note that this doesn’t mean Wi-Fi encryption is broken, although we should point you to the previous research Mathy has done on KRACK Attack.
The act of leveraging this vulnerability is possible. It will require a malicious attacker to be in proximity of a target victim. The attacker would need to perform a man-in-the-middle (MiTM) attack to get the victim to join a rogue AP. From there, the attacker must perform the frame fragmentation and aggregation attack.
What should you do?
Educate yourself on how FragAttacks works. We’ve listed several resource links down below, especially to Mathy Vanhoef’s research paper. Discuss the topic with your peers to get a further understanding.
Most importantly, do not freak out.
Reach out to your AP vendor to identify a fix you can apply to your infrastructure. We’ve listed major vendor releases down below. If you’re using cloud-managed APs you’ll be able to update easily.
For those using WLAN controllers, it may be more challenging. The fix will require new code to be deployed. Before deploying new code, understand which APs are supported in that code. You may need to replace older APs first.
The weakest point will be end user and IoT devices. Everything needs an update to patch this vulnerability. All operating systems and consumer routers need to apply a patch, many of which are coming in the near future.
Educate users to update their devices regularly in order to address past and present vulnerabilities.
Links & Resources
- Official FragAttacks website
- Official FragAttacks Paper
- FragAttacks tools for testing (Github)
- Video showcasing the FragAttacks exploit
- Official announcement from the ICASI
- FragAttacks Overview
- Wi-Fi alliance announcement
- François’ post on SemFio’s blog
Vendors’ Security Advisory:
- Juniper: https://www.mist.com/documentation/mist-security-advisory-fragattacks-and-faq
- Ruckus: https://support.ruckuswireless.com/fragattacks-ruckus-technical-support-response-center
- Cisco: https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-wifi-faf-22epcEWu.html
- Meraki: Same Cisco – starting in June 2021, October 2021 for MX with Wi-Fi capabilities
- Aruba: https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2021-011.txt