Security Experts:

Connect with us

Hi, what are you looking for?


IoT Security

FragAttacks: New Vulnerabilities Expose All Devices With Wi-Fi to Attacks


A researcher this week disclosed the details of a dozen design and implementation flaws that could affect all devices with Wi-Fi capabilities, exposing their users to remote attacks.


A researcher this week disclosed the details of a dozen design and implementation flaws that could affect all devices with Wi-Fi capabilities, exposing their users to remote attacks.

The vulnerabilities, dubbed FragAttacks (fragmentation and aggregation attacks), were discovered by researcher Mathy Vanhoef, who was also involved in the discovery of the Key Reinstallation Attack (KRACK) vulnerabilities back in 2017.

FragAttacks can be leveraged by an attacker who is within range of the targeted Wi-Fi connection to hack devices and steal sensitive user information.

The vulnerabilities appear to impact all Wi-Fi security protocols, including WEP — this means some of the flaws have been around since 1997 — and the latest WPA3. Vanhoef said all of the more than 75 tested Wi-Fi devices were affected by at least one of the FragAttacks issues, but most of these products were impacted by multiple vulnerabilities.

Tested devices include mobile products from Huawei, Google, Samsung and Apple; computers from Dell, Apple and MSI; Xiaomi and Canon IoT devices; Asus, Linksys and D-Link routers; and Aruba, Lancom and Cisco access points.

A dozen CVE identifiers have been assigned to FragAttacks, including three CVEs for design flaws related to aggregation, mixed key and fragment cache attacks; four CVEs for implementation issues that can be exploited to inject plaintext frames into protected Wi-Fi networks; and five CVEs for various other implementation flaws.

The researcher said the design flaws are more difficult to exploit as they typically require user interaction or uncommon network settings. However, the implementation flaws are easier to leverage in attacks.

Vanhoef has shown how an attacker could use the FragAttacks design flaws to redirect the targeted user to a malicious website. However, this attack requires setting up a malicious server and a rogue Wi-Fi connection mimicking the victim’s connection, as well as user interaction (e.g. opening an email).

Vanhoef also demonstrated how some of the implementation flaws can be exploited to take control of smart devices on the targeted network, bypass a home router firewall and gain remote access to the local network, steal a user’s information, and spy on them.

“The biggest risk in practice is likely the ability to abuse the discovered flaws to attack devices in someone’s home network. For instance, many smart home and internet-of-things devices are rarely updated, and Wi-Fi security is the last line of defense that prevents someone from attacking these devices. Unfortunately, due to the discovered vulnerabilities, this last line of defense can now be bypassed,” Vanhoef explained.

Some of the affected vendors have been notified and given 9 months to release patches. The researcher specifically mentioned patches being released by Microsoft (in March) and Linux kernel developers. Mitigations are also available for some of the vulnerabilities.

Vanhoef has set up a dedicated website for FragAttacks and also released a detailed research paper, a video showing how the vulnerabilities can be exploited in real-world attacks, and an open source tool that can be used to determine if Wi-Fi clients and access points are affected by the flaws.

Related: Kr00k Vulnerability Exposed Data From Over a Billion Wi-Fi Devices

Related: Vulnerabilities in Realtek Wi-Fi Module Expose Many Devices to Remote Attacks

Related: Qualcomm, MediaTek Wi-Fi Chips Vulnerable to Kr00k-Like Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.