It’s not exactly uplifting to learn that your wireless devices are vulnerable to ” FragAttacks “. Even though millions of wireless devices could be vulnerable to FragAttacks —short for “fragmentation and aggregation attacks,” the word is scarier than the risk; there’s no evidence that anyone is actively exploiting these vulnerabilities via these vulnerabilities.
As security researcher Mathy Vanhoef writes:
“The discovered vulnerabilities affect all modern security protocols of Wi-Fi, including the latest WPA3 specification. Even the original security protocol of Wi-Fi, called WEP, is affected. This means that several of the newly discovered design flaws have been part of Wi-Fi since its release in 1997! Fortunately, the design flaws are hard to abuse because doing so requires user interaction or is only possible when using uncommon network settings. As a result, in practice the biggest concern are the programming mistakes in Wi-Fi products since several of them are trivial to exploit.”
What’s a FragAttack?
The term “FragAttack” refers to a set of vulnerabilities in frames, or data packets, that can be used to either steal data as it travels between networked devices or take control of a device entirely—whether it’s a simple IoT smart switch or that old laptop you use to browse the web at home. Attackers can either inject unwanted, unencrypted frames into a network or exploit how frames are aggregated together (or aggregates are split apart) to inject and execute data that wasn’t there before.
However, as Vanhoef points out, in order to cause havoc, an attacker would need to be within radio range of your network. That reduces your potential risk because that isn’t something you’re likely to encounter at home or in your apartment (unless you have a sneaky neighbor).
Simple steps to protect yourself from FragAttacks
The best way to keep your network safe from FragAttack vulnerabilities is to keep your devices updated—this is the same advice we give everyone about every security vulnerability we’ve ever encountered. Ensure that all of your routers, smart devices, laptops, phones, and other devices are running the most recent firmware and software updates available. If you’re lucky, the manufacturer of your devices will have a way to update them automatically. Otherwise, you’ll need to make sure you’re checking for critical updates on a regular basis (say, quarterly) to patch vulnerabilities like these.
For example, Eero has already updated its routers to completely block any FragAttack-style vulnerabilities from being exploited:
“Many of the vulnerabilities discovered by the researchers do not affect eero networks due to a combination of custom changes to our networking software that we have made over the years. Additionally, eeroOS 6.2.1 and later includes a patch that will protect your network from the “ FragAttacks (fragmentation and aggregation attacks)” vulnerabilities and is now available to all eero customers. You can tap the details of any of your eeros in the mobile app and trigger an OTA update if the version you are seeing isn’t 6.2.1 or newer in the Settings tab.”
Additionally, use browser extensions such as HTTPS Everywhere to ensure that you’re always connecting to secure websites (and that the data you’re passing through your devices can’t be intercepted). To help thwart any attacks that attempt to reroute a device to a malicious DNS server, I recommend manually setting a custom DNS in your router and/or devices.
Aside from that, don’t stress too much about it. Yes, these flaws exist in almost every networked device, but they’re (thankfully) obscure enough and difficult to exploit (requiring only a small amount of physical presence) that you should be fine as long as you keep up with your security and updates—which you should be doing anyway.