Detecting FragAttacks: Overview of Newly Discovered WiFi Flaws

May 17, 2021 · 4 min read

Yet another time security practitioners should brace themselves and check their coffee supplies due to a set of recently identified vulnerabilities in the Wi-Fi standard. Collectively called FragAttacks, these flaws affect nearly all wireless-enabled devices and allow adversaries to take control over the vulnerable systems to intercept secret information. Mathy Vanhoef, a security expert who revealed these mind-blowing bugs, indicates that literally all Wi-Fi products are impacted at least by a single issue, with most of them vulnerable to several flaws.

What Are FragAttacks?

FragAttacks, which stand for fragmentation and aggregation attacks, derive from the initial design of Wi-Fi protocols and several programming misconfigurations introduced to Wi-Fi devices. In total, security researchers have identified 12 issues that might result in sensitive data exfiltration. Notably, the revealed bugs impact all modern security protocols of Wi-Fi, including WPA3 specification and WEP. This means that some of the identified vulnerabilities were introduced back in 1997, affecting wireless products for more than two decades.

The good news is that protocol design issues are hard to exploit and there is no evidence these flaws have ever been leveraged in the wild. Yet, there only three vulnerabilities affecting the Wi-Fi standard itself. Other bugs stem from programming lapses that are very trivial to utilize.

An insightful paper from Mathy Vanhoef, a seasoned expert in Wi-Fi security, highlights at least three exploitation scenarios. First of all, adversaries might abuse the vulnerabilities to get the victim’s login details. Secondly, hackers can exploit exposed Internet-of-Things (IoT) devices by activating and deactivating a smart power socket. Thirdly, the security holes could be abused to proceed with sophisticated attacks, including those aimed at seizing control over outdated Windows 7 installations inside a local network.

Researchers believe that existing Wi-Fi flaws might be leveraged to serve two major goals: steal confidential details and take control of vulnerable machines in one’s private network. The second objective is more menacing but likely since smart home and IoT devices frequently lack relevant updates alongside proper cybersecurity defenses.

FragAttacks Detection and Mitigation

The batch of FragAttack vulnerabilities were publicly disclosed after a nine-month embargo period used by the Wi-Fi Alliance to modernize its standard and guidelines under the supervision of the Industry Consortium for Advancement of Security on the Internet (ICASI). Also, the Alliance teamed up with prominent Wi-Fi product vendors to push out firmware patches. The latest ICASI statement reveals a comprehensive overview of existing mitigations and indicates that not all vendors released the required updates. Users are urged to inspect the existing advisories and patch their devices as soon as possible.

To assist the cybersecurity community in their efforts to combat FragAttacks, the SOC Prime Team released a community Sigma rule helping to detect the presence of vulnerabilities on your network. This piece of code is a simple keyword rule that looks for 12 possible CVEs associated with FragAttack. Although this rule does not detect the CVE behavior itself, it might be useful in alerting SecOps teams about the threats endangering organizational infrastructure.

The rule has translations to the following languages:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, LogPoint, Humio, FireEye

EDR: SentinelOne

Subscribe to Threat Detection Marketplace, a powerful Detection as Code platform helping security practitioners boost their cyberdefense capabilities and reduce the meantime for attack detection. Our SOC content library aggregates 100K+ detection algorithms and threat hunting queries mapped to CVE and MITRE ATT&CK® frameworks. Enthusiastic to monetize your threat hunting skills? Join our Threat Bounty program to craft your own detection content and get rewards for your input!

Go to Platform Join Threat Bounty

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts