Despite recent improvements in Wi-Fi security, new vulnerabilities in the way most of us receive data over the internet are still being found. That was the case upon the recent discovery of “frag attacks,” which are a result of design flaws in Wi-Fi itself.
That means these issues have existed since the technology’s widespread inception around 1997, and they could have been leveraged in the time since. Technology companies have begun issuing patches for some of their products that are particularly vulnerable to frag attacks, and more vendors will continue to do so.
Next Perimeter is already dealing with this newly discovered vulnerability, ensuring our clients are safe from frag attacks. This post will explain what frag attacks are, how they can wind up in your network, and how they are being dealt with.
Table of Contents
What is a frag attack?
A Frag Attack (Fragmentation and Aggregation Attacks) either captures traffic toward unsecured networks to then clone and impersonate servers, or opens the network by injecting plaintext frames that look like handshake messages. More simply, frag attacks trick your network devices into thinking they are doing something safe.
Three of the issues that emerged are design flaws within Wi-Fi as a protocol. The rest are programming mistakes.
Research into the vulnerabilities showed that accessing networks through these methods is even possible when Wi-Fi networks are secured using WPA2 or WPA3 encryption.
Once victims connect to the corrupted network, the attacker then injects malicious packets of data that trick the victim’s computer into using a malicious DNS server. Due to the design flaw in Wi-Fi, the victim will not be alerted to the altered packets of data that are tricking their computer.
When the victim next visits an unsecured website, the attacker’s DNS server will send them to a copy of the intended website, allowing the cybercriminal to capture keystrokes containing sensitive information like usernames and passwords.
Attackers can also inject malicious packets of data to “punch a hole” in a router’s firewall if a connected device is vulnerable, allowing the attacker to unmask IP addresses and destination ports used to access the device. With this access, attackers can take screenshots of the device, or execute programs on its interface.
Who identified the possibility of frag attacks?
This vulnerability was discovered by a researcher named Mathy Vanhoef, who also discovered the “KRACK” Wi-Fi vulnerability back in 2017. As of this post, Vanhoef is a postdoctoral researcher in computer security at New York University Abu Dhabi.
Vanhoef’s findings on frag attacks can be found in full at fragattacks.com, while his findings on KRACK attacks can be found at KRACKattacks.com. For his breakdown of frag attacks, see Vanhoef’s video below.
What routers and access points are affected by frag attacks?
Because frag attacks exploit fundamental flaws in the Wi-Fi standard, all Wi-Fi-enabled devices are potentially vulnerable—including routers, access points, and IoT devices.
🛑 The most vulnerable devices:
- Older routers and devices without the latest security patches
- Unpatched newer hardware, which remains susceptible until updates are applied
Users should make sure to check that their devices, including routers and network equipment, are up to date with patches and firmware. For businesses with a managed services provider who provides network security services, this is probably already being handled for you. Otherwise, make sure to stay diligent about modern security protocols, like using strong passwords and staying away from websites that do not utilize HTTPS.
How to Protect Your Network from FragAttacks
To ensure your devices are updated and protected, check your router and firmware logs for patches addressing the 12 Common Vulnerabilities and Exposures (CVEs):
Design Flaws in the Wi-Fi Standard
These vulnerabilities exist within the Wi-Fi protocol itself, making security updates crucial.
- CVE-2020-24588 – Requires authentication for the A-MSDU flag in the plaintext QoS header
- CVE-2020-24587 – Ensures that all fragments of a frame are encrypted under the same key
- CVE-2020-24586 – Requires received fragments to be cleared from memory after reconnecting to a network
Implementation Flaws in the Wi-Fi Standard
These result from how Wi-Fi devices process fragmented and aggregated frames, allowing potential attacks.
- CVE-2020-26145 – Accepts second (or subsequent) broadcast fragments even when sent in plaintext, processing them as full unfragmented frames
- CVE-2020-26144 – Accepts plaintext A-MSDU frames if the first 8 bytes match a valid RFC1042 (LLC/SNAP) header for EAPOL
- CVE-2020-26140 – Accepts plaintext frames in a protected Wi-Fi network
- CVE-2020-26143 – Accepts fragmented plaintext frames in a protected Wi-Fi network
Other Implementation Flaws
Additional vulnerabilities result from improper packet handling and fragment reassembly.
- CVE-2020-26139 – Forwards EAPOL frames to other clients even if the sender has not successfully authenticated to the AP
- CVE-2020-26146 – Reassembles fragments with non-consecutive packet numbers
- CVE-2020-26147 – Reassembles fragments even if some were sent in plaintext
- CVE-2020-26142 – Treats fragmented frames as full frames
- CVE-2020-26141 – Fails to verify the Message Integrity Check (MIC) of fragmented TKIP frames
Next Steps: How to Secure Your Network
- Check for firmware updates – Visit your router/access point manufacturer’s website for patches
- Enable automatic updates – Ensure security patches are applied as soon as they’re released
- Upgrade outdated hardware – If your device is no longer supported, consider replacing it with a modern, secure router
- Use strong security settings – Use WPA3 encryption, disable legacy protocols (WEP, TKIP), and enable firewall protections
- Work with a managed IT provider – If your business has an MSP handling network security, they should already be applying these patches for you
🔎 Need help securing your network? Contact Next Perimeter for expert cybersecurity solutions and proactive network protection.
Are frag attacks being actively exploited?
It is hard to tell whether attackers have explicitly targeted these vulnerabilities, and there is no evidence that they have been. Contrarily, cybercriminals work tirelessly to find vulnerabilities, and issues that have been unpatched for over 20 years may have been leveraged in the past.
The good news is that Vanhoef alerted the Wi-Fi Alliance and Industry Consortium for Advancement of Security on the Internet (ICASI) before making his findings public, so tech companies could begin to patch the vulnerabilities early. The Alliance issued an update on May 11, 2021, stating that the hole is easily patched through routine device updates that enable the detection of these transmissions.
Overall, the fact that nobody made note of this vulnerability for so long makes it unlikely that someone other than Vanhoef found it first. If black-hat hackers had exploited it earlier, white-hat hackers would have figured out it was happening.
The potential exploitation of these openings is serious, but the circumstances must be perfect for a cybercriminal to capitalize. To access your network via these vulnerabilities, attackers must be in radio range and have direct interaction with a user on the network. It also requires misconfigured network settings.
How are IT support companies handling frag attacks?
Given how many devices are affected by this vulnerability, the entire technology industry is reliant on manufacturers’ updates to patch them. Vendors have been working on patches for over 9 months since Vanhoef disclosed the vulnerability.
As this is an ongoing development, Next Perimeter is working directly with vendors to ensure that all patches are applied when released. Microsoft silently rolled out the patch that covers these vulnerabilities on March 9, 2021. Because all devices on our managed devices plan are patched as soon as possible, all managed Windows devices covered by Next Perimeter already have the patches they need.
If you are unsure if your current Next Perimeter plan covers patch management, book a consultation with our virtual CIO now.
If you are not yet a Next Perimeter customer, you may call us at 888-286-4816 to take your first step toward the swift patch management that will protect you from frag attacks, and any future vulnerabilities.
