Severe flaw in WPA2 protocol announced

[Mike A.]

Severe flaw in WPA2 protocol leaves Wi-Fi traffic open to eavesdropping

KRACK attack allows other nasties, including connection hijacking and malicious injection.

DAN GOODIN - 10/16/2017, 12:37 AM

An air of unease set into the security circles on Sunday as they prepared for the disclosure of high-severity vulnerabilities in the Wi-Fi Protected Access II protocol that make it possible for attackers to eavesdrop Wi-Fi traffic passing between computers and access points.

The proof-of-concept exploit is called KRACK, short for Key Reinstallation Attacks. The research has been a closely guarded secret for weeks ahead of a coordinated disclosure that's scheduled for 8 a.m. Monday, east coast time. An advisory the US CERT recently distributed to about 100 organizations described the research this way:

US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol. The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others. Note that as protocol-level issues, most or all correct implementations of the standard will be affected. The CERT/CC and the reporting researcher KU Leuven, will be publicly disclosing these vulnerabilities on 16 October 2017.

According to a researcher who has been briefed on the vulnerability, it works by exploiting a four-way handshake that's used to establish a key for encrypting traffic. During the third step, the key can be resent multiple times. When it's resent in certain ways, a cryptographic nonce can be reused in a way that completely undermines the encryption...

The vulnerabilities are scheduled to be formally presented in a talk titled Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 scheduled for November 1 at the ACM Conference on Computer and Communications Security in Dallas. It's believed that Monday's disclosure will be made through the site krackattacks.com. The researchers presenting the talk are Mathy Vanhoef and Frank Piessens of KU Leuven and imec-DistriNet, Maliheh Shirvanian and Nitesh Saxena of the University of Alabama at Birmingham, Yong Li of Huawei Technologies in Düsseldorf, Germany, and Sven Schäge of Ruhr-Universität Bochum in Germany. The researchers presented this related research in August at the Black Hat Security Conference in Las Vegas.

The vast majority of existing access points aren't likely to be patched quickly, and some may not be patched at all. If initial reports are accurate that encryption bypass exploits are easy and reliable in the WPA2 protocol, it's likely attackers will be able to eavesdrop on nearby Wi-Fi traffic as it passes between computers and access points. It might also mean it's possible to forge Dynamic Host Configuration Protocol settings, opening the door to hacks involving users' domain name service.


Severe flaw in WPA2 protocol leaves Wi-Fi traffic open to eavesdropping

 

[alastairstevenson]

Wow!

 

[TonyR]

Oops!

 

[Kawboy12R]

I'm having a major "Uh oh" moment here. This is big.

 

[alastairstevenson]

The Security Services will not be pleased - they'll need to reach into their exploit cache for the next one.

 

[Mike A.]

Fortunately, it appears that they coordinated this with the major vendors at least so some have already been patched and more will be. Some stuff probably won't ever be.

The attack works by exploiting the comms that goes on when a device joins a wifi network. There is a 4-step process used to confirm first that the device is using the correct password for the wifi router, and then to agree an encryption key that will be used for all the data sent between them during the connection.

In a key reinstallation attack, the adversary tricks a victim into reinstalling an already-in-use key. This is achieved by manipulating and replaying cryptographic handshake messages. When the victim reinstalls the key, associated parameters such as the incremental transmit packet number (i.e. nonce) and receive packet number (i.e. replay counter) are reset to their initial value. Essentially, to guarantee security, a key should only be installed and used once. Unfortunately, we found this is not guaranteed by the WPA2 protocol. By manipulating cryptographic handshakes, we can abuse this weakness in practice.

The practical implication of this is, if you know any of the contents of the data that have been sent between the device and the router, you can use that known data to work out the encryption key. As Vanhoef points out, there is almost always going to be known data being passed at some point, so you have to assume that the encryption can always be cracked. Even if you don’t know any of the content, a sufficient volume of English text would be enough to break the encryption.

With Android and Linux, an attacker doesn’t even have to do that much work: the attacker can simply reset the encryption key.

The good news is that Vanhoef says that WPA2 can be patched to block the attack, and the patch will be backward compatible. Once a patch is available for your router, you should update the firmware without delay.

The Wi-Fi Alliance has issued a security advisory thanking Vanhoef for his work, stating that it is aware of the issue and that major platform providers have already started deploying patches. It says there is no evidence that the attack has been used in the wild, though the research paper notes that such attacks would be difficult to detect.

 

[Mike A.]

On further review this is worse than I originally thought. Patching the router end would be relatively easy. But it's primarily client side...

"Our main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients. So it might be that your router does not require security updates. We strongly advise you to contact your vendor for more details. In general though, you can try to mitigate attacks against routers and access points by disabling client functionality (which is for example used in repeater modes) and disabling 802.11r (fast roaming). For ordinary home users, your priority should be updating clients such as laptops and smartphones."​

Android phones and Linux devices are done. They accept a simple all-zero key that can be injected...

"Android 6.0 and above contains a vulnerability that researchers claim “makes it trivial to intercept and manipulate traffic sent by these Linux and Android devices.” 41 percent of Android devices are vulnerable to an “exceptionally devastating” variant of the Wi-Fi attack that involves manipulating traffic. Attackers might be able to inject ransomware or malware into websites thanks to the attack, and Android devices will require security patches to protect against this. Google says the company is “aware of the issue, and we will be patching any affected devices in the coming weeks.”

Although most devices appear to be vulnerable to attacks reading Wi-Fi traffic, the exploit doesn’t target access points. The attack exploits vulnerabilities in the 4-way handshake of the WPA2 protocol, a security handshake that ensures client and access points have the same password when joining a Wi-Fi network."

​

 

[looney2ns]

Great, just great.

 

[dogbert831]

I run Ubiquity wifi at home. They released a patch yesterday which I installed right away. What I worry about as it relates to this forum is the camera firmware. I just checked the Amcrest forum and they don't seem like they are taking it seriously. Can't seem to find out anything on Dahua. I get the feeling that the average vendor is going to be rather slow to address this.

 

[framednlv]

Does having your connection to a VPN help?

 

[dogbert831]

Does having your connection to a VPN help?

If you're using a VPN, that does help secure your overall network but it doesn't address the wifi issue. While it's not recommended that you use wifi cameras from a reliability standpoint, there are some situations where wifi is necessary. The problem is that an unpatched wifi camera is susceptible to the KRACK vulnerability. As far as I know, none of the camera manufactures have released updates for this yet.