Apple has patched iOS, macOS and other products to protect against the KRACK vulnerability recently disclosed in the WPA2 Wi-Fi security protocol.
KRACK, short for key re-installation attack, allows an attacker within range of a victim’s Wi-Fi network to read encrypted traffic with varying degrees of difficulty.
Many vendors had patched KRACK in their respective products prior to the Oct. 16 public disclosure. Researcher Mathy Vanhoef of Belgium found and privately disclosed to numerous organizations starting in July and helped coordinate disclosure.
Apple was among the holdouts to repair its offerings until today; the update is part of iOS 11.1 and includes patches for 13 bugs in Webkit, and other fixes in the kernel, iMessages, and elsewhere. Apple also patched KRACK in macOS High Sierra, Sierra and El Capitan, all of which were updated today, as well as in tvOS and watchOS
Given that KRACK is a protocol-level bug, it had many experts on edge in its early days. Since then, some of the anxiety has eased given the varying degrees of ease of exploit and conditions that must be in place for an attack to be successful.
Since KRACK cannot be exploited remotely and an attacker must be in range of the Wi-Fi network, this somewhat blunts the severity of the issue. Also, VPNs and TLS connections add layers of encryption to communication from home and business networks to the internet. Enterprises are likely most in the line of fire when it comes to the KRACK bug.
“The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations,” Vanhoef wrote in an advisory published Oct. 16. “Therefore, any correct implementation of WPA2 is likely affected.”
More details are available in a research paper called a “Key Resinstallation Attacks: Forcing Nonce Reuse in WPA2,” scheduled to be formally presented tomorrow at the Computer and Communications Security (CCS) conference and at Black Hat Europe.
The vulnerability surfaces in the four-way handshake carried out when clients join WPA2-protected networks. A pre-shared network password is exchanged during this handshake, authenticating the client and access point. It’s also where a fresh encryption key is negotiated that will be used to secure subsequent traffic.
It is at this step where the key reinstallation attack takes place; an attacker on the network is able to intercede and replay cryptographic handshake messages, bypassing a mandate where keys should be used only once. The weakness occurs when messages during the handshake are lost or dropped—a fairly common occurrence—and the access point retransmits the third part of the handshake (re-using a nonce), theoretically multiple times.
An attacker sniffing the traffic could replay it offline and piece together enough information to steal secrets.
“By forcing nonce reuse in this manner, the encryption protocol can be attacked, e.g., packets can be replayed, decrypted, and/or forged,” Vanhoef said. “The same technique can also be used to attack the group key, PeerKey, TDLS, and fast BSS transition handshake.”