Fragment Attack (FragAttacks): Understanding Wi-Fi Vulnerabilities

Fragmentation and Aggregation Attacks, commonly referred to as FragAttacks, are a set of security vulnerabilities affecting Wi-Fi devices. Discovered by researcher Mathy Vanhoef in 2021, these vulnerabilities exploit weaknesses in the Wi-Fi protocol's frame aggregation and fragmentation mechanisms. FragAttacks allow attackers to steal data or compromise devices on most Wi-Fi networks, even those secured with WPA2 or WPA3. This article explores FragAttacks from both Red Team (offensive) and Blue Team (defensive) perspectives, providing technical insights and a code sample to illustrate the attack mechanism.

What Are FragAttacks?

Wi-Fi protocols use frame aggregation and fragmentation to optimize data transmission. Aggregation combines multiple frames into a single transmission to improve efficiency, while fragmentation splits large frames into smaller pieces for reliable delivery. FragAttacks exploit design flaws in these mechanisms, enabling attackers to inject malicious frames or manipulate fragmented data.

Key vulnerabilities include design flaws in the Wi-Fi standard 802.11, such as:

CVE-2020-24588: Aggregation flaw allowing attackers to inject malicious frames by exploiting improper validation of aggregated frames.
CVE-2020-24587: Fragmentation flaw enabling attackers to mix encrypted fragments from different frames, potentially exfiltrating sensitive data.
CVE-2020-24586: Lack of proper fragment reassembly checks, allowing attackers to forge fragments and bypass encryption.

These vulnerabilities affect nearly all Wi-Fi devices, including routers, smartphones, and IoT devices, regardless of the security protocol in use.

Impact

Broad Exposure: Nearly all Wi-Fi devices (routers, laptops, IoT) are vulnerable.
Encryption Bypass: WPA3 offers no guaranteed protection.
IoT Risks: Many embedded devices lack update mechanisms.
Longevity: As standard-level flaws, these issues will persist until 802.11 revisions are adopted.

Red Team Perspective: Exploiting FragAttacks

From a Red Team perspective, FragAttacks provide a pathway to compromise Wi-Fi networks by injecting malicious frames or extracting sensitive data. Attackers can exploit these vulnerabilities to:

Steal sensitive data (e.g., login credentials or session cookies).
Inject malicious JavaScript into unencrypted HTTP traffic.
Gain a foothold in a network for further attacks.

Attack Scenario

An attacker within range of a vulnerable Wi-Fi network can perform a FragAttack by:

Sniffing Frames: Capturing fragmented or aggregated Wi-Fi frames.
Injecting Malicious Frames: Crafting and injecting malicious frames to exploit aggregation vulnerabilities.
Exfiltrating Data: Reassembling fragments to extract sensitive information or redirect traffic to a malicious server.
MitM Persistence: Combining FragAttacks with ARP/DNS spoofing for long-term access.

Sample Exploit Code

Below is a simplified Python script using Scapy to demonstrate a frame injection attack targeting a vulnerable Wi-Fi device. This script assumes the attacker has already captured a legitimate frame and is injecting a malicious one. Note: This is for educational purposes only and should only be used in controlled environments with permission.

from scapy.all import *
import binascii
 
# Configuration
interface = "wlan0"  # Attacker's Wi-Fi interface
target_bssid = "00:11:22:33:44:55"  # Target AP's MAC address
target_client = "AA:BB:CC:DD:EE:FF"  # Target client's MAC address
 
# Craft a malicious frame (simplified for demonstration)
def craft_malicious_frame():
    # Malicious payload (e.g., fake DNS response or malicious JavaScript)
    payload = binascii.unhexlify("deadbeef")  # Replace with actual payload
    dot11 = Dot11(type=2, subtype=0, addr1=target_client, addr2=target_bssid, addr3=target_bssid)
    frame = RadioTap() / dot11 / LLC() / SNAP() / IP() / UDP() / Raw(load=payload)
    return frame
 
# Inject the frame
def inject_frame():
    frame = craft_malicious_frame()
    print("Injecting malicious frame...")
    sendp(frame, iface=interface, count=10, inter=0.1, verbose=False)
 
if __name__ == "__main__":
    conf.iface = interface
    inject_frame()

This script uses Scapy to craft and inject a malicious Wi-Fi frame. In a real attack, the attacker would need to:

Monitor the target network in promiscuous mode.
Identify fragmented or aggregated frames.
Craft a payload that exploits specific vulnerabilities (e.g., injecting a malicious DNS response).

Attack Mechanics

Attack	Description
Fragmentation Exploits	- Large packets are split into fragments for transmission. - Attackers can inject crafted fragments that get combined with legitimate ones. - Example: Constructing a malicious DNS query by mixing attacker fragments with victim data.
Aggregation Exploits	- Wi-Fi allows multiple packets to be aggregated into one frame. - Malicious subframes can be smuggled inside aggregated packets. - Example: Injecting a fake IPv6 Router Advertisement to alter routing tables.
Key Handling Weaknesses	- Some devices accept fragments encrypted with different session keys. - This breaks the assumption of per-session confidentiality and enables cross-session packet injection.

Challenges for Red Teams

Proximity Requirement: The attacker must be within Wi-Fi range.
Device Specificity: Not all devices are equally vulnerable; firmware variations affect exploitability.
Encryption: WPA3 networks are harder to exploit due to improved frame validation, but vulnerabilities still exist.

Blue Team Perspective: Defending Against FragAttacks

From a Blue Team perspective, the goal is to detect, mitigate, and prevent FragAttacks. Since these vulnerabilities are rooted in the Wi-Fi protocol, complete prevention requires firmware updates and proactive network monitoring.

Defensive Strategies

Patch Management:
- Apply firmware updates to Wi-Fi routers, access points, and client devices. Most vendors released patches for FragAttacks in 2021.
- Regularly check for updates from device manufacturers, as new exploits may target unpatched systems.
Network Segmentation:
- Use VLANs to isolate IoT devices, which are often more vulnerable, from critical systems.
- Implement guest networks to limit the impact of compromised devices.
Encryption and Authentication:
- Prefer WPA3 over WPA2, as it offers stronger protections against frame manipulation.
- Use strong, unique passwords for Wi-Fi networks to prevent unauthorized access.
Intrusion Detection:
- Deploy Wireless Intrusion Detection Systems (WIDS) to monitor for suspicious frame activity, such as unexpected frame injections or malformed fragments.
- Analyze logs for anomalies, such as repeated frame retransmissions or unusual traffic patterns.
Disable Fragmentation/Aggregation (if feasible):
- Some devices allow disabling frame aggregation or fragmentation, though this may impact performance. Consult device documentation before making changes.

Monitoring with Wireshark

Blue Teams can use tools like Wireshark to detect potential FragAttacks. For example, filter for fragmented Wi-Fi frames:

wlan.fc.type == 2 && wlan.fc.fragment == 1

This filter displays data frames with fragmentation, which could indicate an attack if combined with unusual payloads or source addresses.

Challenges for Blue Teams

Patch Availability: Some older or low-cost devices may not receive firmware updates, leaving them vulnerable.
Detection Complexity: FragAttacks are difficult to detect without specialized tools, as they exploit low-level protocol flaws.
IoT Proliferation: The sheer number of Wi-Fi-enabled devices increases the attack surface.

Mitigation Status and Industry Response

Following the discovery of FragAttacks, the Wi-Fi Alliance and device manufacturers released patches to address the vulnerabilities. By 2025, most modern devices running updated firmware are protected, but legacy devices remain at risk. The Wi-Fi Alliance also introduced stricter validation in WPA3 to mitigate future attacks.

Mitigation Strategies

Strategy	Description
Patch Devices	- Apply vendor updates (Microsoft, Apple, Intel, Cisco, Linux distros, etc.).
Protocol Hardening	- Reject plaintext/mixed-encryption fragments. - Enforce strict authentication before reassembly.
Defense-in-Depth	- Use HTTPS, TLS, or VPNs to protect application data. - Disable aggregation features where possible.
Segment Networks	- Segment networks to isolate IoT devices.

Conclusion

FragAttacks highlight the fragility of Wi-Fi protocols when improperly implemented. For Red Teams, these vulnerabilities offer a way to exploit networks, but they require technical expertise and physical proximity. For Blue Teams, the focus is on patching, monitoring, and adopting modern security standards like WPA3. By understanding both perspectives, organizations can better secure their Wi-Fi networks against these sophisticated attacks.

FragAttacks represent one of the most significant Wi-Fi vulnerabilities since KRACK. They exploit core weaknesses in 802.11 fragmentation and aggregation, not just vendor-specific bugs. While patches reduce the attack surface, legacy and IoT devices will remain vulnerable for years. Adopting layered defenses and securing applications at higher protocol layers is essential until the Wi-Fi standard itself evolves.

Love it? Share this article: