What's a FragAttack and How Should IoT Product Managers Deal With It?
Could your device be used in a ‘drive-by’ hack? According to new research there is a good chance it could be.
On May 12th, 2021, Security researcher, Mathy Vanhoef, exposed a new technique of manipulating multiple vulnerabilities, that are embedded in every WiFi product, that can be remotely attacked in a drive-by hack. “FragAttack” represent a major break with the perception that devices in networks are safe because they sit behind the router, which is widely believed to prevent the network from being exposed to hackers.
FragAttacks highlight the need to put security on the device itself, rather than rely on the network. Not doing so, makes your device another gateway for attackers, and enables it to be potentially used as part of the attack chain.
What’s a FragAttack?
An adversary who is within range of a victim’s WiFi network, can abuse router device vulnerabilities to steal user information or attack other devices on the network.
Malicious actors are often finding new ways to exploit networks using a combination of vulnerabilities, where they find weaknesses or flaws within a device to stealthily force their way in. This discovered vulnerability allows the attacker to bypass all of the popular secure WiFi protocols that are built-in, gain unauthorized connections and gather sensitive information of the network traffic. Arguably, the most disturbing aspect of FragAttacks is that on close proximity a hacker can bypass the firewall of the router and create a connection between his remote server and any devices inside the network for later exploitation.
More often than not, the hacker will be out to obtain sensitive information like the victim’s username and passwords. But there is also the possibility that they’ll be looking to cause damage by exploiting any insecure IoT devices through remotely taking control over the operating system, and launching a more advanced attack.
The process of bypassing the firewall is disturbingly simple. By being within close proximity, say, within a building lobby, a neighboring building, or a car parked outside on the street, the hacker can initiate the connection by sending a plaintext frame that looks legitimate but buried within it is a malicious packet. Once this connection is obtained, they can continue to wreak havoc from their remote location.
For example, in this attack method the attacker would drive their car through a target neighborhood, open a remote connection to the WIFi routers in all buildings they’re passing, return to their remote location and from there infect all the compromised devices. The hacker may then collect all these infected devices to form a botnet and sell this on the darknet to be used in any type of malware attack.
What this means for Product Managers
Having your IoT device caught up in a FragAttack could be devastating. Should the user become aware their device is infected, they’ll attribute blame to where they detect a problem – and that will be the malfunctioning device. As a result they may disconnect their device, demand a refund and stop buying your brand in the future. From a product development perspective, an immediate patch will be needed which will cause interruption to the software release cycles.
Product managers should not depend on the router as a line of defense against hackers. There is no such thing as being ‘air-gapped’, and there should be a baseline expectation that the IoT device is always accessible to hackers seeking to exploit it.
This means focusing security on the device itself, rather than the network. This protection needs to be proactive and able to withstand new threats like these that just can’t be anticipated. A real time proactive security solution, such as Firedome is able to identify and protect against unanticipated vulnerabilities and ensure the ongoing security of your IoT device.
So what should you do immediately? Test your device to identify if it is exposed to this attack – chances are that it is vulnerable. If it is, we provide a series of recommendations:
- If you are protected by a proactive security solution your fleet is safe from this attack. It would be smart to reassure your customer base that they have nothing to be concerned about and emphasize their good luck, because your competitors’ customers are exposed.
- If you are not protected this certainly shouldn’t be marketed, but your customers need to be informed of the vulnerability. Address the issue as part of a release update, advise that a patch is in development and provide a time frame of when it will be ready.
- With a proactive security solution already installed no immediate action is required. However it wouldn’t hurt to apply a patch which can be planned with future version releases.
- If you are not protected, you should stop everything and apply the patch across your fleet immediately.
- With a proactive security solution already installed no immediate action is required.
- If you are not protected, you can run statistical tests to detect anomalous behavior. For e.g. a drop in the number of devices that are connected to the backend.
FragAttacks are hardly unique in the sense that new vulnerabilities are frequently found that compromise the security of connected devices and jeopardize user safety. Back in 2019, the FBI issued a warning that hackers could use smart gadgets to conduct a similar ‘drive-by’ hack. What they didn’t anticipate then, is that it could be done via the router to infect the entire network.
For more technical information about the event, and how to protect against it, feel free to reach out to us.