FragAttacks: Wi-Fi Vulnerabilities Impacting Almost All Connected Devices Discovered, Windows Gets Patched

Multiple vulnerabilities have been discovered that are claimed to affect all modern Wi-Fi security protocols and impact a range of devices ranging from smartphones to routers and even small IoT devices. The vulnerabilities have been brought into notice by a Belgian cybersecurity expert who previously gained popularity for co-finding the widespread Wi-Fi vulnerabilities in the WPA2 protocol that resulted in key reinstallation attacks — commonly called KRACKs. Those security loopholes were fixed by most of the tech companies to avoid leaking of user data.

Mathy Vanhoef has found the new set of Wi-Fi vulnerabilities that he calls “fragmentation and aggregation attacks” — or FragAttacks in short. The researcher detailed the flaws through a dedicated site, as initially reported by Gizmodo.

According to the details provided online, there are 12 different security issues that could potentially leak user data or allow hackers to gain access to a device. Three of the discovered vulnerabilities are design flaws in the Wi-Fi standard and are thus believed to impact most devices out in the market, Vanhoef said. However, the researcher also found several other vulnerabilities that exist due to programming-level issues in Wi-Fi devices.

In one case, Vanhoef noted that a hacker could exploit Wi-Fi networks by injecting plaintext aggregated frames that look like handshake messages on a system. He also mentioned another flaw that could be exploited by tricking victims into processing encrypted transported data unintentionally.

The issues could impact users on Wi-Fi networks based on WPA2 or even WPA3 standards, the researcher said. A video demonstration of the key flaws has also been provided by the researcher.

Thankfully, Vanhoef underlined that the design flaws he found are hard to abuse as attackers require user interaction or need to use some uncommon network settings. The vulnerabilities were reported to various device makers and some of them have provided fixes for their devices. Similarly, the researcher informed the Wi-Fi Alliance and helped prepare security updates during a nine-month-long coordinated disclosure.

Although the exact period for how long the vulnerabilities exist is unknown, Vanhoef said on his site that even the original security protocol of Wi-Fi — WEP — is affected. It was notably released back in 1997.

Users are advised to install the latest software updates on their Wi-Fi devices to patch the loopholes. Microsoft has issued updates to address three of the more common vulnerabilities in Windows 10, Windows 8.1, and Windows 7. You should install these updates on your system to stay protected.

Similarly, companies including Cisco, Ruckus, Intel, Lenovo, Netgear, Samsung, and Synology have released patches for their devices. Given the reputation of Vanhoef and thanks to his background with discovering KRACK attacks, many other companies are likely to release patches for their devices in the coming days. Meanwhile, in case if a user doesn't get an update for their devices, Vanhoef recommended that the issues can be mitigated by visiting only websites that use HTTPS, have the latest updates in place, and must not reuse passwords.

Why did LG give up on its smartphone business? We discussed this on Orbital, the Gadgets 360 podcast. Later (starting at 22:00), we talk about the new co-op RPG shooter Outriders. Orbital is available on Apple Podcasts, Google Podcasts, Spotify, and wherever you get your podcasts.