FragAttacks: The Wi-Fi Flaws Hiding in Almost Every Device
FragAttacks are design flaws baked into Wi-Fi since 1997. Here's what they let attackers do and how to actually protect yourself.
Founder & Lead Technician
Quick answer
FragAttacks are twelve Wi-Fi vulnerabilities disclosed in 2021, three of which are design flaws in the Wi-Fi standard dating to 1997. They can let nearby attackers inject packets or exfiltrate data, affecting almost every Wi-Fi device until firmware and OS updates are applied.
FragAttacks are a set of Wi-Fi security flaws so old they've been sitting in the standard since 1997 — meaning practically every Wi-Fi device ever made is affected to some degree. The name is short for "fragmentation and aggregation attacks," and the researcher who found them, Mathy Vanhoef of New York University Abu Dhabi (the same expert behind the earlier KRACK attack), disclosed twelve separate vulnerabilities in 2021. Three are design flaws in the Wi-Fi standard itself; the rest are programming mistakes that show up across countless products.
Before you panic and unplug your router, here's the honest framing: these flaws are serious and worth patching, but most are difficult to exploit in the real world. Let's break down what they actually are, what an attacker can and can't do, and the concrete steps that matter.
What FragAttacks Actually Are
Wi-Fi doesn't always send data in one neat chunk. To handle larger messages and improve efficiency, it can split a frame into smaller pieces — fragmentation — or bundle several frames together — aggregation. FragAttacks abuse the rules around how devices split, combine, and reassemble these pieces. When an attacker manipulates that process, they can sometimes slip in their own data or trick a device into mishandling encrypted traffic.
The three core design flaws baked into the standard are:
- Aggregation flaw (CVE-2020-24588): The "is this frame aggregated?" flag isn't authenticated, so an attacker can flip it and cause a device to misinterpret data — potentially injecting malicious packets.
- Mixed-key fragmentation flaw (CVE-2020-24587): A device may reassemble fragments that were encrypted under different keys, which it should never do, allowing data exfiltration.
- Fragment cache flaw (CVE-2020-24586): Leftover fragments aren't cleared from memory when a client disconnects, letting an attacker inject their own fragment to be reassembled with a victim's data.
The most important nuance: even a perfectly configured WPA2 or WPA3 network with a strong password is still affected by the three design flaws, because they live in the standard itself — not in your password.
What An Attacker Can — And Can't — Do
In theory, a successful FragAttack could let someone inject packets, redirect a victim to a malicious server, or in some setups exfiltrate small amounts of data. The headline-grabbing claim is the ability to "steal passwords and inject malware." That's technically possible in lab conditions, but it deserves heavy caveats.
Exploitation is hard. An attacker generally needs to be within Wi-Fi range, the victim usually has to take some action (like visiting an attacker-influenced website), and many of the implementation bugs only exist on specific, unpatched devices. There is no evidence of FragAttacks being used in widespread real-world attacks. Compare that to the everyday threat of a weak password or a phishing email, which are exploited constantly. This is a "patch it and move on" issue, not a "the sky is falling" one.
Which Devices Are Affected
Because the design flaws are in Wi-Fi itself, the affected list is essentially "anything with Wi-Fi." The implementation bugs vary by manufacturer and firmware version.
| Device category | Examples | Main fix |
|---|---|---|
| Routers and access points | Netgear, TP-Link, Asus, Linksys, Cisco, Ubiquiti | Firmware update from vendor |
| Computers | Windows, macOS, Linux, Chromebooks | OS and driver updates |
| Mobile devices | iPhone, iPad, Android phones | OS security patches |
| IoT and smart home | Cameras, plugs, consoles, smart TVs | Vendor firmware (often slow or absent) |
The weak spot in that table is the bottom row. Routers and mainstream operating systems got patched quickly after the 2021 coordinated disclosure — Microsoft, Apple, the Linux kernel, and major router brands all shipped fixes. Cheap IoT devices are the lingering problem, because many never receive firmware updates at all.
How To Protect Yourself
The good news is that defense is mostly about hygiene you should be doing anyway. Work through these in order:
- Update your router firmware. Log into your router's admin page and check for updates, or enable auto-updates if available. This is the single highest-impact step.
- Patch every device. Install OS and security updates on phones, laptops, and tablets. Most FragAttacks fixes shipped years ago and are already waiting in pending updates.
- Use HTTPS everywhere. Vanhoef himself noted that the biggest practical protection is making sure traffic is already encrypted at the application layer. Modern browsers default to HTTPS, which neutralizes most data-theft scenarios even if the Wi-Fi layer is poked.
- Prefer WPA3 where supported. It's more robust than WPA2, though it doesn't make these design flaws vanish entirely.
- Replace unsupported IoT gear. If a smart device hasn't had a firmware update in years and never will, isolate it on a guest network or retire it.
If you only do one thing, update your router. Everything else layers on top of a patched gateway.
Why This Matters
FragAttacks are a useful reminder that the foundations of the internet are full of decades-old design decisions that didn't anticipate modern threats. A flaw introduced in 1997 quietly traveled into billions of devices, and nobody noticed for over twenty years. That's not unique to Wi-Fi — it's how legacy standards age.
The practical lesson is reassuring, though. You don't need deep networking knowledge to stay safe here. Keep firmware and software current, lean on HTTPS, and don't let abandoned smart-home gadgets become the soft spot in your network. Do that, and FragAttacks move from a scary headline to a closed checkbox.
How FragAttacks Compare To KRACK And Other Wi-Fi Threats
FragAttacks didn't appear in a vacuum. The same researcher, Mathy Vanhoef, made headlines in 2017 with KRACK (Key Reinstallation Attack), which broke the WPA2 handshake itself and was far more practical to exploit. Putting these threats side by side helps calibrate how worried you should actually be about each one.
| Threat | What it targets | Practical risk | Primary fix |
|---|---|---|---|
| KRACK (2017) | WPA2 4-way handshake | Moderate to high when unpatched | OS and router patches |
| FragAttacks (2021) | Frame fragmentation and aggregation | Low — hard to exploit | Firmware and OS patches |
| Weak password / WPS | Network access | High — actively exploited | Strong password, disable WPS |
| Evil twin / rogue AP | Tricking you onto a fake network | High — common in public spaces | Verify networks, use a VPN |
The honest takeaway from that table is humbling: the boring, well-understood threats — a weak password, an open WPS button, a fake hotspot in a coffee shop — remain far more dangerous to the average person than the exotic, technically impressive FragAttacks. Don't let a dramatic vulnerability name distract you from the fundamentals.
How To Tell If You're Already Protected
You probably are, and you can verify it without special tools. Check the firmware version on your router's admin page against the manufacturer's site — if it's a 2021 or later release, the FragAttacks fixes are almost certainly baked in. On your phone or laptop, confirm you're not stuck on an ancient OS version; any device receiving regular security updates in the past few years has these patches.
For the devices you can't easily check — that bargain smart plug, the no-name security camera — assume the worst and contain them. Many modern routers let you create a separate guest or IoT network. Putting untrusted gadgets there means that even if one is compromised through an unpatched flaw, the attacker can't pivot to your laptop or phone on the main network.
Network segmentation is the unsung hero of home security. A cheap smart bulb on an isolated network can't become a stepping stone to the device holding your bank login.
What FragAttacks Teaches About Disclosure
There's a quietly reassuring story behind these flaws that's worth knowing. Vanhoef didn't dump the vulnerabilities online for anyone to exploit. He followed coordinated disclosure: he reported the issues privately to the Wi-Fi Alliance and major vendors, then waited roughly nine months while patches were prepared, before going public in May 2021. By the time the world heard about FragAttacks, fixes were already shipping.
That nine-month head start is the main reason these flaws never turned into a real-world disaster. It's a model of how security research is supposed to work, and it's why the practical risk to you today is low if you simply keep your devices updated. The vulnerabilities were dangerous in theory, but the responsible handling meant defenders were ready before attackers even knew where to look.
The flip side is the long tail of devices that never got patched. Coordinated disclosure protects the ecosystem only where vendors actually ship updates. For abandoned routers and no-name smart gadgets, the patch may simply never arrive — which loops back to the same advice: keep what you can updated, isolate what you can't, and retire hardware that's been left behind.
Frequently asked questions
Does a strong Wi-Fi password protect me from FragAttacks?+
Not completely. The three core FragAttacks are design flaws built into the Wi-Fi standard itself, so they affect even networks with WPA2 or WPA3 and a long, complex password. A strong password still matters for blocking other attacks, but the real fix for FragAttacks is installing firmware and operating system updates.
Have FragAttacks been used in real attacks?+
There is no evidence of widespread real-world exploitation. The flaws are difficult to exploit: an attacker typically needs to be within Wi-Fi range and the victim often has to take some action. They are serious enough to patch, but they are far less of a practical threat than phishing or weak passwords.
What is the single most important step to fix FragAttacks?+
Update your router firmware. The router is the gateway for every device on your network, and most major vendors released patches after the 2021 disclosure. After that, install OS and security updates on all your phones, laptops, and tablets, and replace any IoT devices that no longer receive firmware updates.
Founder & Lead Technician
Harjindar founded Ask Technicians to cut through bad tech advice. He writes hands-on troubleshooting guides drawn from years of real-world repair and support work.
Related guides
Novak Djokovic Joins General Atlantic as Advisor
General Atlantic has named tennis great Novak Djokovic a global strategic advisor as the private equity firm pushes deeper into health, wellness, and sports.
Tesla Settles Fatal FSD Crash Lawsuit: What We Know
Tesla has settled a lawsuit over a fatal 2023 Full Self-Driving crash, but the federal NHTSA engineering analysis into the system is still open.
Menlo Ventures Raises Record $3B Fund on Anthropic Bet
Menlo Ventures closed the largest fund in its 50-year history, propelled by a 2024 bet on Anthropic now reportedly worth around 14 billion dollars.
Meta Plans Arena: A Prediction Market App
Mark Zuckerberg has greenlit a Polymarket-style prediction app called Arena. Here is what it is, how it works, and why it is launching now.