Recently, the Fragmentation and aggregation attacks vulnerability (FragAttacks) has come to light about the risk of unpatched Wi-Fi equipment being susceptible to design flaws in Wi-Fi that have been present since 1997. This risk, while hard to abuse, is being taken seriously by eduroam and the Wi-Fi ecosystem.
FragAttacks is an attack against Wi-Fi infrastructure and clients, rather than against any specific wireless network. Despite being specifically mentioned in the original disclosure, eduroam is no more or less affected than any other enterprise Wi-Fi network. There is nothing you need to specifically do for eduroam that you wouldn’t already need to do for any other Wi-Fi network.
The best way to mitigate against FragAttacks is to keep current on vendor patches and updates. Updates need to be applied to all Wi-Fi components – both Access Points (APs) and Wi-Fi client devices in the field such as smartphones, laptops, and Internet of Things (IoT) devices. Some of these patches may have already been routinely applied; others may still be under development and should be applied as soon as they become available.
While there are no reports of this being actively exploited, this is not a remote attack so it can only be attempted within proximity of vulnerable access points and clients. This is not a service affecting issue and eduroam authentication infrastructure will continue to function normally and your login credentials (username/password or certificate) continue to be securely transmitted when configured properly.
The eduroam Operations Team and eduroam National Roaming Operators (NROs) encourage sites to continue to adopt best practices for client security settings by:
- Applying your site managed eduroam profile to all eduroam clients. This can be done from the Configuration Assistant Tool (CAT) at https://cat.eduroam.org. Sites who do not yet have a profile should contact their eduroam NRO for assistance.
- Reviewing your device settings to remove open/unsecured automatically connecting WiFi SSIDs to reduce risks using untrustworthy access points.
- Discontinuing the use of older Wi-Fi access points for which security updates are no longer available.
- Continuing user communication about the mounting personal security and account compromise risks of using unpatched devices and that they may outweigh the value of using them to remain connected.
- eduroam site AP operators review their capability to support 802.11w / PMF (Protected Management Frames) on their equipment to prevent this style of problem.
Additional information on this vulnerability can be found at:
- FragAttacks WLAN vulnerabilities:First Updates (in German)
- Time to patch against fragattacks
- Commscope FragAttacks Resource Center
- FragAttacks just reinforce the ‘It depends’ complexity of Wi-FI
- Usenix 2021 paper
Thanks to the eduroam operator community for information used in creating this advisory.
