A series of vulnerabilities in the Wi-Fi standard render all Wi-Fi Protected Access II (WPA2) protocol implementations vulnerable to a new type of attack, security researchers have discovered.
Called Key Reinstallation Attack, or KRACK, the novel technique provides attackers who are within range of a victim to access information that was previously assumed to be safely encrypted. Thus, attackers can steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and more.
Discovered by Mathy Vanhoef and Frank Piessens, the weaknesses reside in the Wi-Fi standard itself, meaning that all correct implementations of WPA2 are likely affected. The security researchers have already discovered that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others, are affected by some variant of the attack.
The 4-way handshake that protected Wi-Fi networks use to generate a fresh session key is a 14-year-old function that has remained free from attacks until now, and even proved secure. What Vanhoef and Piessens discovered, however, was that the 4-way handshake is vulnerable to a key reinstallation attack.
The reserchers explained that an adversary could trick the victim into reinstalling an already-in-use key through manipulating and replaying handshake messages.
“When reinstalling the key, associated parameters such as the incremental transmit packet number (nonce) and receive packet number (replay counter) are reset to their initial value,” the researchers explain in their research paper (PDF).
The attack can break the PeerKey, group key, and Fast BSS Transition (FT) handshake, having a different impact on each of them, based on the data-confidentiality protocol in use.
The researchers provided the video below, which demonstrates the attack in detail.
While the attacker could replay and decrypt (but not forge) packets against AES-CCMP (thus hijacking TCP streams), they could replay, decrypt, and forge packets against WPATKIP and GCMP, with a catastrophic impact. GCMP is affected the most, as it uses the same authentication key in both communication directions.
“After establishing a man-in-the-middle position between an AP and client, an attacker can selectively manipulate the timing and transmission of messages in the WPA2 Four-way, Group Key, Fast Basic Service Set (BSS) Transition, PeerKey, Tunneled Direct-Link Setup (TDLS) PeerKey (TPK), or Wireless Network Management (WNM) Sleep Mode handshakes, resulting in out-of-sequence reception or retransmission of messages,” the US-CERT notes in an advisory.
The security researchers demonstrated their attack against Android 6.0, claiming that it is “exceptionally devastating” against the platform. Specifically, they explain that both Android and Linux can be forced into “(re)installing an all-zero encryption key.”
“All Wi-Fi clients we tested were vulnerable to our attack against the group key handshake. This enables an adversary to replay broadcast and multicast frames. When the 4-way or fast BSS transition handshake is attacked, the precise impact depends on the data-confidentiality protocol being used. In all cases though, it is possible to decrypt frames and thus hijack TCP connections. This enables the injection of data into unencrypted HTTP connections,” the paper reads.
The researchers also note that the key reinstallation attack even occurs spontaneously when certain handshake messages are lost due to background noise, meaning that implementations are reusing nonces even without an adversary being present.
Mitigation is possible through checking whether an already-in-use key is being installed and consequently not resetting associated nonces and replaying counters, the researchers note. Another solution would be to assure that a particular key is only installed once during a handshake execution.
While Vanhoef and Piessens argue that most WPA2 implementations are vulnerable, Iron Group CTO Alex Hudson points out that Wi-Fi offers a limited amount of physical security by requiring an attacker to be in proximity.
“So, you’re not suddenly vulnerable to everyone on the internet. It’s very weak protection, but this is important when reviewing your threat level,” he says.
Hudson also notes that only few protocols actually rely on WPA2 security: “Accessing secure websites over WiFi is still totally safe. Hopefully – but there is no guarantee – you don’t have much information going over your network that requires the encryption WPA2 provides,” he continues.
On a dedicated website, Vanhoef and Piessens published a list of CVE identifiers assigned to track affected products and explained that each of these identifiers represents a specific instantiation of a key reinstallation attack. Thus, each CVE describes a specific protocol vulnerability and some vendors could be affected by each of them.
The vulnerabilities are CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084, CVE-2017-13086, CVE-2017-13087, and CVE-2017-13088.
The security researchers also note that they are warning vendors of the discovered vulnerabilities, meaning that security updates addressing them are likely to be released. A list of notified vendors is available here.
“This issue can be resolved through straightforward software updates, and the Wi-Fi industry, including major platform providers, has already started deploying patches to Wi-Fi users,” the Wi-Fi Alliance explained in a statement.”
“There is no evidence that the vulnerability has been exploited maliciously, and Wi-Fi Alliance has taken immediate steps to ensure users can continue to count on Wi-Fi to deliver strong security protections,” the Wi-Fi Alliance added. “Wi-Fi Alliance now requires testing for this vulnerability within our global certification lab network and has provided a vulnerability detection tool for use by any Wi-Fi Alliance member.”
The new attack method will be presented at the ACM Conference on Computer and Communications Security (CCS) and at Black Hat 2017.