Device Vendors Scrambling As FragAttacks Circumvent Wi-Fi Security

Any and all devices that are connected to wi-fi, or have been in the past, are now considered compromised by a newly-uncovered host of vulnerabilities. Belgian security researcher Mathy Vanhoef, who had previously gained fame a few years ago by finding an entirely different wi-fi exploit called KRACK, has led a revelatory informational campaign on these recent “FragAttacks.” Though a portmanteau of “fragmentation” and “aggregation,” FragAttacks extends to devices without wi-fi frame fragmentation. Hackers are bypassing all forms of standard wi-fi network security to reap sensitive data.

Vanhoef stated, "The biggest risk in practice is likely the ability to abuse the discovered flaws to attack devices in someone's home network. For instance, many smart home and internet-of-things devices are rarely updated, and Wi-Fi security is the last line of defense that prevents someone from attacking these devices. Unfortunately... this last line of defense can now be bypassed." Testing over 75 devices in combination with an assortment of operating systems, Vanhoef detected at least one critical weakness for every outcome. He said that, "the discovery of these vulnerabilities comes as a surprise because the security of Wi-Fi has in fact significantly improved over the past years."

Become a Subscriber

Please purchase a subscription to continue reading this article.

Subscribe Now

There are a dozen unique vulnerabilities in play here. Nine of them germinate from short-sighted programming in particular wi-fi products. The rest are native defects in the universal wi-fi archetype that even extend to the WEP security standard, indicating they might have been circulating since the dawn of wi-fi in 1997. The effort required from malicious actors in harnessing these vulnerabilities ranges from trivial (implementation flaws) to extensive, as in the case of the inherent wi-fi design shortcomings  -- which are established through real-time user interaction or a hard-to-crack network configuration.

Vendors such as Microsoft, Aruba, Cisco, and Intel have made public their user-friendly mitigation protocols and official patches. Microsoft was able to release three separate updates aimed at three of the prevailing weaknesses and issued patches compatible with Windows 10, 8.1, and 7. Others are in the process of following suit and identifying the targeted devices; a cumulative list is being aggregated on the Industry Consortium for Advancement of Security on the Internet (ICASI) webpage. There was, after all, a 9-month embargo on the FragAttacks disclosure in order to give vendors a fighting chance at combating it effectively before any chaos stirred up by press involvement.

There are anecdotal preventative measures that spring to mind. Manually configured DNS servers are considerably harder to crack than their automatically-determined counterparts. Further, network administrators can shroud wi-fi by disabling fragmentation, pairwise rekeying, and dynamic fragmentation in Wi-Fi 6 devices. More general safeguards include strong and diverse password choices, interaction with only trusted websites, and use of HTTPS at every opportunity.