Millions of Wi-Fi devices released in the past 24 years are vulnerable to FragAttacks

Several vulnerabilities in the way the Wi-Fi standard breaks and reassembles network packets, along with software bugs on Wi-Fi capable devices, makes it easy for a hacker to steal your data or attack other devices connected to your network. Patches to mitigate these are coming, but it may take a while to get them and some older devices may never receive an update.

These days most of us take Wi-Fi for granted, but that doesn’t mean the protocol is perfect, nor that it’s truly secure. A widespread vulnerability however is not fully expected but according to Belgian security researcher Mathy Vanhoef, the Wi-Fi standard has a several vulnerabilities that cover devices dating as far back as 1997.

This basically means that almost any Wi-Fi-capable device sold in the past 24 years is affected. Vanhoef previously discovered a different Wi-Fi weakness dubbed “Key Reinstallation AttaCK” (KRACK) that allowed an attacker to take over a Wi-Fi network in seconds, as long as they were within physical range.

The new flaws are collectively called “FragAttacks,” which is short for “fragmentation and aggregation attacks.” Vanhoef explains that three of the vulnerabilities are design flaws in the Wi-Fi standard, while the others are mostly the result of bad programming of the device firmware in various Wi-Fi products.

On the positive side, three of the Wi-Fi design flaws are hard to exploit, as they require uncommon network settings and the attacks are more difficult to set up, often requiring user interaction to be successful. The implementation flaws, however, are described as trivial to exploit and affect devices such as smart home appliances and other IoT devices, many of which aren’t updated very often, and sometimes completely abandoned.

One of the design flaws is present in the frame aggregation functionality, and allows an attacker to flip an unauthenticated flag in a network data frame header. This effectively allows them to inject arbitrary frames and make your device use a malicious DNS server. From there it’s easy for the attacker to steal your sensitive information, and Vanhoef says two out of four home routers he tested were vulnerable to this attack.

Other vulnerabilities stem from bad implementations allowing some devices to accept “plaintext aggregated frames that look like handshake messages,” or accept unencrypted broadcast fragments. Several devices are affected by this, including some popular smartphones and several IoT devices.

Vanhoef tested 75 devices in total with a variety of operating system combinations, and found all of them were vulnerable to one or more of the attacks detailed in his paper. He also notes “the discovery of these vulnerabilities comes as a surprise because the security of Wi-Fi has in fact significantly improved over the past years.”

Nine months ago, the researcher shared his findings with the Wi-Fi Alliance, which has been working closely with device manufacturers to coordinate patches for the 12 flaws. This will prove to be a nightmare for the likes of Cisco, Juniper, HPE, Intel, Netgear, Samsung, Zyxel, Lenovo, Synology, and Eero. You can check if your device has been updated for any of these issues on the Industry Consortium for Advancement of Security on the Internet (ICASI) website.

As noted by The Record and ZDNet, Linux kernel patches are on the way and Microsoft’s Patch Tuesday update for May 2021 should fix three of the twelve vulnerabilities.

There’s no evidence that any of these vulnerabilities has been exploited in the wild, but if you want to be on the safe side it’s worth applying some of the advice that Vanhoef points out on his blog. For instance, make sure to only visit sites that use HTTPS, which is easy if you use an up-to-date web browser and an extension like HTTPS Everywhere. Keep your software up to date, use strong passwords for everything, and make frequent backups of important files. If you have a Wi-Fi 6 router, it’s important to disable dynamic fragmentation, although that won’t fully prevent these attacks.