Connect with us

Hi, what are you looking for?


IoT Security

FragAttacks: New Vulnerabilities Expose All Devices With Wi-Fi to Attacks


A researcher this week disclosed the details of a dozen design and implementation flaws that could affect all devices with Wi-Fi capabilities, exposing their users to remote attacks.


A researcher this week disclosed the details of a dozen design and implementation flaws that could affect all devices with Wi-Fi capabilities, exposing their users to remote attacks.

The vulnerabilities, dubbed FragAttacks (fragmentation and aggregation attacks), were discovered by researcher Mathy Vanhoef, who was also involved in the discovery of the Key Reinstallation Attack (KRACK) vulnerabilities back in 2017.

FragAttacks can be leveraged by an attacker who is within range of the targeted Wi-Fi connection to hack devices and steal sensitive user information.

The vulnerabilities appear to impact all Wi-Fi security protocols, including WEP — this means some of the flaws have been around since 1997 — and the latest WPA3. Vanhoef said all of the more than 75 tested Wi-Fi devices were affected by at least one of the FragAttacks issues, but most of these products were impacted by multiple vulnerabilities.

Tested devices include mobile products from Huawei, Google, Samsung and Apple; computers from Dell, Apple and MSI; Xiaomi and Canon IoT devices; Asus, Linksys and D-Link routers; and Aruba, Lancom and Cisco access points.

A dozen CVE identifiers have been assigned to FragAttacks, including three CVEs for design flaws related to aggregation, mixed key and fragment cache attacks; four CVEs for implementation issues that can be exploited to inject plaintext frames into protected Wi-Fi networks; and five CVEs for various other implementation flaws.

The researcher said the design flaws are more difficult to exploit as they typically require user interaction or uncommon network settings. However, the implementation flaws are easier to leverage in attacks.

Vanhoef has shown how an attacker could use the FragAttacks design flaws to redirect the targeted user to a malicious website. However, this attack requires setting up a malicious server and a rogue Wi-Fi connection mimicking the victim’s connection, as well as user interaction (e.g. opening an email).

Advertisement. Scroll to continue reading.

Vanhoef also demonstrated how some of the implementation flaws can be exploited to take control of smart devices on the targeted network, bypass a home router firewall and gain remote access to the local network, steal a user’s information, and spy on them.

“The biggest risk in practice is likely the ability to abuse the discovered flaws to attack devices in someone’s home network. For instance, many smart home and internet-of-things devices are rarely updated, and Wi-Fi security is the last line of defense that prevents someone from attacking these devices. Unfortunately, due to the discovered vulnerabilities, this last line of defense can now be bypassed,” Vanhoef explained.

Some of the affected vendors have been notified and given 9 months to release patches. The researcher specifically mentioned patches being released by Microsoft (in March) and Linux kernel developers. Mitigations are also available for some of the vulnerabilities.

Vanhoef has set up a dedicated website for FragAttacks and also released a detailed research paper, a video showing how the vulnerabilities can be exploited in real-world attacks, and an open source tool that can be used to determine if Wi-Fi clients and access points are affected by the flaws.

Related: Kr00k Vulnerability Exposed Data From Over a Billion Wi-Fi Devices

Related: Vulnerabilities in Realtek Wi-Fi Module Expose Many Devices to Remote Attacks

Related: Qualcomm, MediaTek Wi-Fi Chips Vulnerable to Kr00k-Like Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.


People on the Move

Retired U.S. Army General and former NSA Director Paul M. Nakasone has joined the Board of Directors at OpenAI.

Jill Passalacqua has been appointed Chief Legal Officer at autonomous security solutions provider

Cisco has appointed Sean Duca as CISO and Practice Leader for the APJC region.

More People On The Move

Expert Insights