How to Protect Your Home Network From ‘FragAttacks’

How to Protect Your Home Network From ‘FragAttacks’

Hearing your wireless devices are vulnerable to something called “FragAttacks” doesn’t exactly inspire joy. However, the word is scarier than the risk; there’s no evidence that anyone is actively exploiting wireless devices via these vulnerabilities, even given the millions that could be susceptible to FragAttacks — short for “fragmentation and aggregation attacks.”

As security researcher Mathy Vanhoef writes:

“The discovered vulnerabilities affect all modern security protocols of Wi-Fi, including the latest WPA3 specification. Even the original security protocol of Wi-Fi, called WEP, is affected. This means that several of the newly discovered design flaws have been part of Wi-Fi since its release in 1997! Fortunately, the design flaws are hard to abuse because doing so requires user interaction or is only possible when using uncommon network settings. As a result, in practice the biggest concern are the programming mistakes in Wi-Fi products since several of them are trivial to exploit.”

What’s a FragAttack?

The name “FragAttack” actually refers to a group of vulnerabilities related to frames, or packets of data, that can be exploited to either steal someone’s information as it passes between networked devices, or to take over a device entirely — whether that’s a simple IoT smart switch or that old laptop you use to browse the web at home. Attackers can either inject unwanted, unencrypted frames into a network, or they can take advantage of how frames are aggregated together (or how aggregates are split apart) to inject and execute data that wasn’t there in the first place.

However, as Vanhoef notes, an attacker would need to be within radio range of your network in order to cause chaos. That already limits your potential risk, as that’s simply not something you’re likely to experience at home or in your apartment (unless you have a sneaky neighbour).

Simple steps to protect yourself from FragAttacks

The best way to keep your network as safe as possible against FragAttack vulnerabilities is to keep your devices updated — and you’ll note this is the same advice we give everyone about every security vulnerability ever. Make sure your routers, smart devices, laptops, phones, or whatever else are all running the most up-to-date firmware and software updates you can find. If you’re lucky, your devices’ manufacturer will have a means for updating them automatically. Otherwise, you’ll need to make sure you’re checking on a regular interval (say, quarterly) for critical updates that can patch up vulnerabilities like these.

For example, Eero has already updated its routers to completely block any FragAttack-style vulnerabilities from being exploited:

“Many of the vulnerabilities discovered by the researchers do not affect eero networks due to a combination of custom changes to our networking software that we have made over the years. Additionally, eeroOS 6.2.1 and later includes a patch that will protect your network from the “FragAttacks (fragmentation and aggregation attacks)” vulnerabilities and is now available to all eero customers. You can tap the details of any of your eeros in the mobile app and trigger an OTA update if the version you are seeing isn’t 6.2.1 or newer in the Settings tab.”

Beyond that, make sure you’re using extensions like HTTPS Everywhere in your browser so you’re always connecting to secure websites (and that the data you’re passing through your devices can’t be intercepted). Additionally, I recommend manually setting a custom DNS in your router and/or devices to help thwart any attacks that attempt to reroute a device to a malicious DNS server.

Beyond that, don’t worry too much about it. Yes, these vulnerabilities are present in just about every networked device, but they’re (thankfully) obscure enough and hard enough to exploit (requiring just enough of a physical presence) that you should be fine as long as you’re staying on top of your security and updates — which you should be doing anyway.


Leave a Reply