FragAttacks – Time to Patch

by Michael Lester

Posted on at 09:04am


On May 11th, security researcher Mathy Vanhoef published a paper, “Fragment and Forge: Breaking {Wi-Fi} Through Frame Aggregation and Fragmentation” and Wi-Fi professionals everywhere began dissecting the treasure trove of information it contained. It turns out that since the advent of Wi-Fi in 1997, through to present day there have been three fundamental design flaws in Wi-Fi. The most trivial of these relate to a function for aggregating frames, with the other two relating to the fragmentation of Wi-Fi frames.

Mathy also identified a relatively substantial number of implementation flaws which were broadly exploitable across vendors, ranging from the trivial (such as failing to check whether fragments belong to the same frame) to more complex. These, in conjunction with the underlying design flaws, mean that execution of an attack is not a purely theoretical exercise – it can and has been done. 

The disclosure was a coordinated multi-vendor one, which took around 9 months to see the light of day. 

The paper itself is fascinating, and if you feel like delving very deep into the weeds, it’s available here: https://papers.mathyvanhoef.com/usenix2021.pdf 


The nice thing about Wi-Fi attacks is that there is always a physical presence involved. In order for these exploits to be targeted, the attacker needs to either be physically present within an appropriate radius of client devices or leave a device in such a location. Most organisations are going to notice someone they don’t know hanging around, and so far many businesses the impact of this is likely to be low. However, in higher security environments, or particularly large geographies the chance of an attacker going undetected is much lower. Also consider that in an education environment, the chance of a particularly savvy student deciding to test the waters is perhaps a little higher.

While the attack code has not yet been released, it will be soon and it won’t take long for other security researchers to reverse engineer the patches that are being released and come up with working attack code. Time is of the essence here.

Next Steps

So what does this mean to the average enterprise Wi-Fi network and/or to our home and small business users? It means that we need to patch and we need to patch relatively quickly. Beginning today, you will see a raft of Enterprise Wi-Fi AP vendors, and Wi-Fi NIC vendors releasing a bunch of patches to address these vulnerabilities. We’ve already seen a bunch come through this morning from the major vendors that we deal with, and we anticipate seeing more come through from the low-mid tier ones in the coming days and weeks. Some vendors (such as Microsoft) released patches for this stuff back in March, when the vulnerability was due to originally be disclosed.

In short, we need to patch, and you need to patch. Infrastructure maintainers need to ensure their Wi-Fi AP’s are patched against the disclosures, and follow their manufacturer’s guidance. Consumer devices need to be patched to the latest update/driver/firmware levels to ensure they are adequately protected against the impact. IoT devices? Well given that these are rarely if ever updated – they should be treated as they hopefully already are – completely untrusted and on segmented networks. If your IOT vendor does release a patch – get it applied as soon as possible.

Wi-Fi is an amazing beast, but the attack Mathy and his team have disclosed demonstrates the substantial complexity involved that goes on under the hood. Misconfiguration of a Wi-Fi network can have substantial impact, and this becomes strongly highlighted when attacks like this make their way to the foreground.

If you need help getting up to speed, reach out and give us a call.


Vendor Links:

Aruba: https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2021-011.txt

Ruckus: https://www.commscope.com/fragattacks-commscope-ruckus-resource-center/wifi-fragattacks-what-you-need-to-know/

Mist: https://www.mist.com/documentation/mist-security-advisory-fragattacks-and-faq/ 

Cambium/Xirrus: Not yet released, but will be available here https://www.cambiumnetworks.com/security/