Google this week finally addressed the KRACK vulnerability in Android, three weeks after the WPA2 protocol flaw was publicly disclosed.
The KRACK patches are the most high-profile fixes in the November Android Security Bulletin, which includes three patches levels; the KRACK patches are in the Nov. 6 patch level, Google said.
A separate Google Pixel and Nexus security bulletin was also released, but it does not contain patches for KRACK.
Apple was the most recent giant tech firm to patch KRACK prior to Google. Its recent iOS 11.1 update patched KRACK in the iPhone 8, 8 Plus and X. Apple said the iPhone 7 and earlier are not impacted.
KRACK is short for key-reinstallation attacks and can be exploited by an attacker within range of a victim’s Wi-Fi network to read encrypted traffic.
The vulnerability surfaces in the four-way handshake carried out when clients join WPA2-protected networks. A pre-shared network password is exchanged during this handshake, authenticating the client and access point. It’s also where a fresh encryption key is negotiated that will be used to secure subsequent traffic.
It is at this step where the key reinstallation attack takes place; an attacker on the network is able to intercede and replay cryptographic handshake messages, bypassing a mandate where keys should be used only once. The weakness occurs when messages during the handshake are lost or dropped—a fairly common occurrence—and the access point retransmits the third part of the handshake (re-using a nonce), theoretically multiple times.
An attacker sniffing the traffic could replay it offline and piece together enough information to steal secrets.
Google shared the updates with its Android partners and OEMs last month and said source code patches should be available in the Android Open Source Project repository some time today.
In addition to KRACK, Google warned of critical vulnerabilities in its Media framework, a monthly ritual since the Stagefright vulnerabilities. Remote attackers could use crafted media files in order to execute arbitrary code on Android devices through these bugs.
Google said that none of the bugs it patched have been publicly attacked.
The Nov. 1 patch level addresses seven bugs in the Media framework, five of them rated critical affecting most versions of Android.
The Nov. 5 patch level contains patches for a handful of worrisome Qualcomm component vulnerabilities that enable kernel-level access.
Researcher Scott Bauer privately disclosed six flaws that were patched this week that could be remotely exploited. Bauer said in a report he published this week that two other remotely exploitable flaws he disclosed remain unpatched.
The most critical of fixed bugs is CVE-2017-11013, Bauer told Threatpost.
“They’re all kernel bugs. But this one is the one that scares me the most, Bauer said. “The reason why this is the worst one is because it is a bug in the kernel that a remote attacker can hit. This bug also, without getting technical, has the possibility for real hackers to start using.”
Bauer said the vulnerabilities are in the qcacid Qualcomm/Atheros Wi-Fi- driver. He said he’s aware of the driver shipping in at least two Android phones: the Pixel (and Pixel Gen2 and 5x).
Bauer said this particular flaw is most dangerous because it is remote and a proximal bug into the kernel.
“All that would have to happen is someone would have to trick you into connecting onto a wireless access point. They could name it the same as your home Wi-Fi, with the same MAC address as your home Wi-Fi and your phone would connect automatically,” Bauer said. “Once the connection happens, your phone is compromised with no sign to the user.”