WPA2, a protocol that secures modern protected Wi-Fi networks, may not support security as much as we think.
That is because there are weaknesses that can allow attackers to read and capture information that users believe to be encrypted like passwords and payment card numbers to name a few.
The weaknesses are in the Wi-Fi standard, so any correct implementation of WPA2 is likely affected. The chances are if your device supports Wi-Fi it is affected.
“Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites, said Mathy Vanhoef, a postdoc at Belgian University of Leuven, who discovered the weaknesses and led the research.
“An attacker within range of a victim can exploit these weaknesses using key reinstallation attacks (KRACKs),” Vanhoef said in a paper on the subject. “Concretely, attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted. This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on.”
When a client joins a Wi-Fi network, it executes the 4-way handshake to negotiate a fresh encryption key, he said. It will install this key after receiving message 3 of the 4-way handshake. Once the key is in, it will be used to encrypt normal data frames using an encryption protocol.
Click here to view the video describing the vulnerability.
“However, because messages may be lost or dropped, the Access Point (AP) will retransmit message 3 if it did not receive an appropriate response as acknowledgment. As a result, the client may receive message 3 multiple times. Each time it receives this message, it will reinstall the same encryption key, and thereby reset the incremental transmit packet number (nonce) and receive replay counter used by the encryption protocol.”
These key reinstallations can occur spontaneously if the last message of a handshake is lost due to background noise, so a re-transmission of the previous message is needed. “When processing this retransmitted message, keys may be reinstalled, resulting in nonce reuse just like in a real attack,” Vanhoef said.
But this same result can be forced by an attacker who managed to achieve a man-in-the-middle.
“In a key reinstallation attack, the adversary tricks a victim into reinstalling an already-in-use key. This is achieved by manipulating and replaying cryptographic handshake messages. When the victim reinstalls the key, associated parameters such as the incremental transmit packet number (i.e. nonce) and receive packet number (i.e. replay counter) are reset to their initial value,” Vanhoef said.
“Essentially, to guarantee security, a key should only be installed and used once. Unfortunately, we found this is not guaranteed by the WPA2 protocol. By manipulating cryptographic handshakes, we can abuse this weakness in practice. We show that an attacker can force these nonce resets by collecting and replaying retransmissions of message 3 of the 4-way handshake. By forcing nonce reuse in this manner, the encryption protocol can be attacked, e.g., packets can be replayed, decrypted, and/or forged.”
Several types of cryptographic Wi-Fi handshakes are affected by the attack: Four-way, Group Key, PeerKey, TDLS, and fast BSS Transition.
The KRACK attack can be aimed at different devices running a variety of OSes.
“Our attack is especially catastrophic against version 2.4 and above of wpa_supplicant, a Wi-Fi client commonly used on Linux. Here, the client will install an all-zero encryption key instead of reinstalling the real key,” Vanhoef said.
The KRACK attack does have its limitations. For one, the attack can’t be deployed by remote attackers – they have to be within the wireless communications range of an affected AP and the victim client.
In addition, web sites that correctly implement SSL/TLS (HTTPS) are still secure in theory, as the users’ browser negotiates a separate encryption layer. There are sites out there who have this protection improperly configured. Vanhoef said there are instances in which HTTPS protection can be bypassed.
“Luckily, [WPA2] implementations can be patched in a backwards-compatible manner,” Vanhoef said.
“This means a patched client can still communicate with an unpatched access point, and vice versa. In other words, a patched client or access points sends exactly the same handshake messages as before, and at exactly the same moments in time,” Vanhoef said. “However, the security updates will assure a key is only installed once, preventing our attacks. So again, update all your devices once security updates are available.”
Some vendors have already begun pushing out the patches, and most of them are expected to offer a patch in the very near future. Google said they will be patching any affected devices “in the coming weeks.”
“Our main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients,” Vanhoef said. “So, it might be that your router does not require security updates.”
“In general, though, you can try to mitigate attacks against routers and access points by disabling client functionality (which is for example used in repeater modes) and disabling 802.11r (fast roaming). For ordinary home users, your priority should be updating clients such as laptops and smartphones.”
CERT/CC offers a list of vendors whose products are affected.