Most WiFi Devices Vulnerable to WPA2-Targeting Exploits
Security protocols in WiFi have a “serious weakness” that could be exploited by in-range attackers to forcibly reinstall keys on the device, route around HTTPS and encryption, and to eavesdrop on all communications and potentially manipulate data or inject malware.
So warns security researcher Mathy Vanhoef at Belgium’s KU Leuven University, who’s launched a website, krackattacks.com to detail the vulnerabilities in Wi-Fi Protected Access 2, or WPA2. He says the flaws “can be exploited using a so-called key reinstallation attack – or KRACK – which refers to replacing an in-use key with an attacker-created one.”
Most WiFi networks that use WPA2, including personal and enterprise WPA2 networks, appear to be vulnerable. Successful exploits allow an attacker to gain man-in-the-middle access to communications and potentially inject malicious data, including malware or ransomware.
“Attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted,” Vanhoef says. “This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos and so on. The attack works against all modern protected Wi-Fi networks.”
The U.S. Computer Emergency Response Team issued a Sunday alert about the threat of key reinstallation attacks against WPA2. “US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol,” US-CERT’s alert reads. “The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others.”
More details of the flaw, including lists of vulnerable devices and vendor-specific updates, are due to be announced on Monday by US-CERT’s Coordination Center.
“The weaknesses are in the WiFi standard itself, and not in individual products or implementations,” Vanhoef says on the krackattacks.com site. “Therefore, any correct implementation of WPA2 is likely affected. To prevent the attack, users must update affected products as soon as security updates become available. Note that if your device supports WiFi, it is most likely affected.”
‘Devastating’ Against Linux, Sometimes Android
[embedded content]Mathy Vanhoef demonstrates a proof-of-concept key reinstallation attack against an Android device using a WPA2-protected WiFi network.
Vanhoef says the flaw affects everything from Android, Linux and Window to Apple, OpenBSD, MediaTek, and Linksys, amongst others.
“Our key reinstallation attack is exceptionally devastating against Linux and Android 6.0 or higher,” he says, noting that most attacks can only recover a subset of all communications. On Android and Linux devices, however, an attacker can typically obtain a complete copy of all communications. “This is because Android and Linux can be tricked into (re)installing an all-zero encryption key,” he says, which makes it easy to decrypt all communications on the fly.
Vanhoef has published his findings in a detailed research paper, Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2. He’s due to present the findings on Nov. 1 at the Computer and Communications Security conference in Dallas, and in December at Black Hat Europe in London.
Alan Woodward, a computer science professor at Britain’s University of Surrey, says “the heart of the WPA2 flaw” involves an attack against WPA2’s four-way handshake.
This is the heart of the WPA2 flaw pic.twitter.com/3fytY7uak8
— Alan Woodward (@ProfWoodward) October 16, 2017
10 Specific Vulnerabilities
Vanhoef says his findings center on 10 specific flaws, each of which has been assigned a Common Vulnerabilities and Exposures identifier and help track affected products. He says each vulnerability represents a unique key reinstallation attack and that many vendors’ products will be vulnerable to multiple CVEs.
Here’s his full list of flaws:
- CVE-2017-13077: Reinstallation of the pairwise encryption key (PTK-TK) in the 4-way handshake.
- CVE-2017-13078: Reinstallation of the group key (GTK) in the 4-way handshake.
- CVE-2017-13079: Reinstallation of the integrity group key (IGTK) in the 4-way handshake.
- CVE-2017-13080: Reinstallation of the group key (GTK) in the group key handshake.
- CVE-2017-13081: Reinstallation of the integrity group key (IGTK) in the group key handshake.
- CVE-2017-13082: Accepting a retransmitted Fast BSS Transition (FT) Reassociation Request and reinstalling the pairwise encryption key (PTK-TK) while processing it.
- CVE-2017-13084: Reinstallation of the STK key in the PeerKey handshake.
- CVE-2017-13086: Reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake.
- CVE-2017-13087: Reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
- CVE-2017-13088: Reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
Contact Vendors for Patches
To mitigate the flaws, Vanhoef is clear: Everyone should contact their vendors.
“In general though, you can try to mitigate attacks against routers and access points by disabling client functionality – which is for example used in repeater modes – and disabling 802.11r – fast roaming,” he says. “For ordinary home users, your priority should be updating clients such as laptops and smartphones.”
Many access points and especially less expensive, mass-produced devices sold to consumers may never get a fix for their WPA2 flaws. But Vanhoef says that client-side fixes from vendors will likely be able to block all KRACK attacks.
While this is the first attack against WPA2 that works without guessing passwords, many security researchers say they are not surprised that a serious flaw has been found in WPA2.
“Keep calm,” Alex Hudson, CTO at London-based digital services subscription firm Iron Group, says in a blog post reacting to the news.
Like many IT executives, Hudson has been reviewing what steps need to be taken in light of the KRACK attack debuting. One piece of good news is that successful attacks require proximity. “So, you’re not suddenly vulnerable to everyone on the internet,” he says. “It’s very weak protection, but this is important when reviewing your threat level.”
Don’t panic. Targetted attack. If worried use VPN and only use HTTPS sites. (65 characters :))
— Alan Woodward (@ProfWoodward) October 16, 2017
Hudson says repercussions from these flaws will likely be felt for years. “It’s clear to me that ‘internet of things’ type devices will be the hardest hit,” he says. “Devices with embedded WiFi for secondary functional purposes, like TVs and baby monitors, are unlikely to get proper updates. As a protocol problem, it’s possible we will be forced to choose between security and functionality, and many users will choose the latter.”