A group of security researchers has discovered several serious key management vulnerabilities in the core of Wi-Fi Protected Access II (WPA2) protocol that could be exploited by an attacker to hack into Wi-Fi network and eavesdrop on the Internet connections. The attacks can steal sensitive information such as credit card numbers, passwords, chat messages, emails, and pictures.
The flaws were found by the Belgian researcher Mathy Vanhoef of imec-DistriNet, KU Leuven, who published a detailed paper (titled “Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2”) that described an attack method dubbed KRACK attack (Key Reinstallation Attack).
The hacking technique devised by the researchers works against almost any WPA2 Wi-Fi network, because the issues reside in the Wi-Fi WPA2 standard itself, and not in the various implementations meaning that the WPA2 has been compromised.
The impact could be serious for both companies and home users, any working implementation of WPA2 is likely affected, the only limitation is that an attacker needs to be within the range of a victim to exploit the weaknesses.
“We discovered serious weaknesses in WPA2, a protocol that secures all modern protected Wi-Fi networks. An attacker within range of a victim can exploit these weaknesses using key reinstallation attacks (KRACKs),” states a post published by Vanhoef. “Concretely, attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted. This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. The attack works against all modern protected Wi-Fi networks.”
The KRACK attack allows attackers to decrypt WiFi users’ traffic without cracking or knowing the password; the experts highlighted that depending on the network configuration, it is also possible to inject and manipulate data. An attacker can carry on a KRACK attack to inject a malware such as a ransomware or other malicious code into websites.
The researchers explained the KRACK attack works against:
- Both WPA1 and WPA2,
- Personal and enterprise networks,
- Ciphers WPA-TKIP, AES-CCMP, and GCMP
When the researchers started their tests on the hacking technique, they discovered that the vulnerabilities affect various operating systems, computers and devices such as Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys.
CERT/CC published a detailed list of the affected devices by some variant of the attacks.
The KRACK attack works by exploiting a 4-way handshake of the WPA2 protocol that’s used to establish a key for encrypting traffic.
This handshake is executed every time a client joins a protected Wi-Fi network; it is a mechanism used to confirm that both the client and access point possess the correct credentials (e.g., the pre-shared password of the network). The 4-way handshake is also used to negotiate a fresh encryption key that will be used to encrypt all subsequent traffic.
“When the victim reinstalls the key, associated parameters such as the incremental transmit packet number (i.e., nonce) and receive packet number (i.e., replay counter) are reset to their initial value,”
explained Vanhoef. “Essentially, to guarantee security, a key should only be installed and used once. Unfortunately, we found the WPA2 protocol does not guarantee this. By manipulating cryptographic handshakes, we can abuse this weakness in practice.”
KRACK attack leverages on the ability of the attacker of tricking victims into re-installing an already-in-use key, which is achieved by manipulating and replaying cryptographic handshake messages.
The experts demonstrated how to execute the key reinstallation attack against an Android smartphone to decrypt a transmission over a protected WiFi.
The researchers explained that KRACK attack is exceptionally effective against Linux and Android 6.0 or higher because it is quite easy for attackers to reinstall already-in-use-key.
“For an attacker, this is easy to accomplish because our key reinstallation attack is exceptionally devastating against Linux and Android 6.0 or higher. This is because Android and Linux can be tricked into (re)installing an all-zero encryption key (see below for more info). When attacking other devices, it is harder to decrypt all packets, although a large number of packets can nevertheless be decrypted. In any case, the following demonstration highlights the type of information that an attacker can obtain when performing key reinstallation attacks against protected Wi-Fi networks.” explained the expert.
“Although websites or apps may use HTTPS as an additional layer of protection, we warn that this extra protection can (still) be bypassed in a worrying number of situations.”
Below is the video PoC of the KRACK attack shared by the researchers:
“Adversaries can use this attack to decrypt packets sent by clients, allowing them to intercept sensitive information such as passwords or cookies.” the researcher said.
“Decryption of packets is possible because a key reinstallation attack causes the transmit nonces (sometimes also called packet numbers or initialization vectors) to be reset to zero. As a result, the same encryption key is used with nonce values that have already been used in the past.”
Ethical Hacking Training – Resources (InfoSec)
As perfectly summarized by Sean Gallagher on Ars Technica, depending on the type of handshake mechanism used between the devices and the Access Point the KRACK attack can do varying levels of damage:
- For connections using AES and the Counter with CBC-MAC Protocol ((AES)-CCMP), an attacker can exploit the vulnerabilities to decrypt the traffic and inject content into TCP packet streams. In this attack scenario, the attacker cannot break the key or forge it, he cannot join the network, but he should use a “cloned” access point with the same MAC address as the access point of the targeted network, on a different Wi-Fi channel.
- For WPA2 systems using the Temporal Key Integrity Protocol (TKIP), the Message Integrity Code key can be recovered by the attacker. The attacker can replay captured packets to the network, forge and transmit new packets to the targeted client posing as the access point.
- For devices that use the Galois/Counter Mode Protocol (GCMP), the attack is the worst: “It is possible to replay and decrypt packets,” Vanhoef and Piessens wrote. “Additionally, it is possible to recover the authentication key, which in GCMP is used to protect both communication directions [as client or access point]… therefore, unlike with TKIP, an adversary can forge packets in both directions.” That means that the attacker can essentially join the network and pretend to be a client or the access point, depending on the type of access they want. “Given that GCMP is expected to be adopted at a high rate in the next few years under the WiGig name, this is a worrying situation,” the researchers noted.
Below the full list of WPA2 Vulnerabilities discovered in the WPA2 protocol.
- CVE-2017-13077: Reinstallation of the pairwise encryption key (PTK-TK) in the 4-way handshake.
- CVE-2017-13078: Reinstallation of the group key (GTK) in the 4-way handshake.
- CVE-2017-13079: Reinstallation of the integrity group key (IGTK) in the 4-way handshake.
- CVE-2017-13080: Reinstallation of the group key (GTK) in the group key handshake.
- CVE-2017-13081: Reinstallation of the integrity group key (IGTK) in the group key handshake.
- CVE-2017-13082: Accepting a retransmitted Fast BSS Transition (FT) Reassociation Request and reinstalling the pairwise encryption key (PTK-TK) while processing it.
- CVE-2017-13084: Reinstallation of the STK key in the PeerKey handshake.
- CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake.
- CVE-2017-13087: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
- CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
The researchers discovered the vulnerabilities last year and reported them to the affected vendors on July 14; the US-CERT also issued an alert to hundreds of vendors on 28 August 2017.
“US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol. The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others. Note that as protocol-level issues, most or all correct implementations of the standard will be affected. The CERT/CC and the reporting researcher KU Leuven will be publicly disclosing these vulnerabilities on 16 October 2017.” the US-CERT warned.
How to protect affected devices?
The use of VPN and other anonymizing techniques can offer a supplementary level of protection to communications.
“This sounds bad. However, a significant amount of the risk would be mitigated for services that use strong encryption at the transport or application layer (such as TLS, HTTPS, SSH, PGP) as well as applications secured by encrypted VPN protocols,” the Crypto expert Arnold KL Yau told El Reg.
“Despite this, however, the ability to decrypt Wi-Fi traffic could still reveal unique device identifiers (MAC addresses) and massive amounts of metadata (websites visited, traffic timing, patterns, amount of data exchanged, etc.) which may well violate the privacy of the users on the network and provide valuable intelligence to whoever’s sitting in the black van.”
The research team plans to release a tool that will allow users to verify if their Wi-Fi network is vulnerable to the KRACK attack.
“We have made scripts to detect whether an implementation of the 4-way handshake, group key handshake, or Fast BSS Transition (FT) handshake is vulnerable to key reinstallation attacks. These scripts will be released once we had the time to clean up their usage instructions,” concluded the expert.
“We also made a proof-of-concept script that exploits the all-zero key (re)installation present in certain Android and Linux devices. This script is the one that we used in the demonstration video. It will be released once everyone had a reasonable chance to update their devices (and we have had a chance to prepare the code repository for release).”