Time to patch against FragAttacks but good luck with home routers and IoT devices

A dozen flaws discovered, with at least one hitting anything that uses Wi-Fi. Thankfully, Microsoft patches are out, and Linux kernel patches are coming.
Written by Chris Duckett, Contributor

Security researcher Mathy Vanhoef, who loves to poke holes in Wi-Fi security, is at it again, this time finding a dozen flaws that stretch back to cover WEP and seemingly impact every device that makes use of Wi-Fi.

Thankfully, as Vanhoef explained, many of the attacks are hard to abuse and require user interaction, while others remain trivial.

Also: Colonial Pipeline attack: Everything you need to know

Another positive is Microsoft shipped its patches on March 9, while a patch to the Linux kernel is working its way through the release system. The details of FragAttacks follow a nine-month embargo to give vendors time to create patches.

"An adversary that is within radio range of a victim can abuse these vulnerabilities to steal user information or attack devices," Vanhoef said in a blog post.

"Experiments indicate that every Wi-Fi product is affected by at least one vulnerability and that most products are affected by several vulnerabilities."

Several of the identified flaws relate to the ability to inject plaintext frames, as well as certain devices accepting any unencrypted frame or accept plaintext aggregated frames that look like handshake messages.

Vanhoef demonstrated how this could be used to punch a hole in a firewall and thereby take over a vulnerable Windows 7 machine.

"The biggest risk in practice is likely the ability to abuse the discovered flaws to attack devices in someone's home network," the security researcher wrote.

"For instance, many smart home and internet-of-things devices are rarely updated, and Wi-Fi security is the last line of defense that prevents someone from attacking these devices. Unfortunately ... this last line of defense can now be bypassed."

Other vulnerabilities relate to how Wi-Fi frames are fragmented and how receivers reassemble them, allowing an attacker to exfiltrate data. Even devices that do not support fragmentation were at risk.

"Some devices don't support fragmentation or aggregation, but are still vulnerable to attacks because they process fragmented frames as full frames," Vanhoef wrote. "Under the right circumstances this can be abused to inject packets."

Some networking vendors such as Cisco and Juniper are starting to push patches for some of their impacted products, while Sierra has planned some of its products to be updated over the next year, and others will not be fixed.

The CVEs registered to due FragAttacks have been given a medium severity rating and have CVSS scores sitting between 4.8 to 6.5.

"There is no evidence of the vulnerabilities being used against Wi-Fi users maliciously, and these issues are mitigated through routine device updates that enable detection of suspect transmissions or improve adherence to recommended security implementation practices," the Wi-Fi Alliance wrote.

Vanhoef said anyone with unpatched devices can protect against data exfiltration by using HTTPS connections.

"To mitigate attacks where your router's NAT/firewall is bypassed and devices are directly attacked, you must assure that all your devices are updated. Unfortunately, not all products regularly receive updates, in particular smart or internet-of-things devices, in which case it is difficult (if not impossible) to properly secure them," the researcher wrote.

"More technically, the impact of attacks can also be reduced by manually configuring your DNS server so that it cannot be poisoned. Specific to your Wi-Fi configuration, you can mitigate attacks (but not fully prevent them) by disabling fragmentation, disabling pairwise rekeys, and disabling dynamic fragmentation in Wi-Fi 6 (802.11ax) devices."

Related Coverage

Editorial standards