A devastating weakness plagues the WPA2 protocol used to secure all modern Wi-Fi networks, and it can be abused to decrypt traffic from enterprise and consumer networks with varying degrees of difficulty.
Not only can attackers peek at supposedly encrypted traffic to steal credentials and payment card data, for example, but in some setups, a third party could also inject malicious code or manipulate data on the wireless network.
Some vendors have already issued security updates and users are advised to patch immediately. U.S. CERT has published a list of affected vendors, but users should note the list is not comprehensive.
News of the issue emerged over the weekend and had even the most cynical observers on edge. Discovered and disclosed by Belgian researcher Mathy Vanhoef of The Katholieke Universiteit Leuven (KU Leuven), the attack can be carried out by someone within range of the victim’s local network using key re-installation attacks, also known as KRACK.
“The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations,” Vanhoef wrote in an advisory published today. “Therefore, any correct implementation of WPA2 is likely affected.”
More details are available in a video, below, and in a research paper also published today called a “Key Resinstallation Attacks: Forcing Nonce Reuse in WPA2,” scheduled to be formally presented Nov. 1 at the Computer and Communications Security (CCS) conference and at Black Hat Europe.
Vanhoef said he began privately notifying vendors of products he had tested around July 14 and quickly learned the scale of this issue was in the protocol rather than limited to specific implementations. CERT/CC made a “broad notification” to vendors on Aug. 28, Vanhoef said. He added that OpenBSD has already silently patched the weakness, which Vanhoef said he regretted because he feared attackers could reverse engineer the patch before others had an opportunity to release their fixes.
“To avoid this problem in the future, OpenBSD will now receive vulnerability notifications closer to the end of an embargo,” he wrote.
The attack concentrates on the four-way handshake carried out when clients join WPA2 networks. It’s here where pre-shared network passwords are exchanged authenticating the client and access point and also where a fresh encryption key is negotiated that will be used to secure subsequent traffic. It is at this step where the key reinstallation attack takes place; an attacker on the network is able to intercede and replay cryptographic handshake messages, bypassing a mandate where keys should be used only once.
The weakness occurs when messages during the handshake are lost or dropped—a fairly common occurrence—and the access point retransmits the third part of the handshake, theoretically multiple times.
“Each time it receives this message, it will reinstall the same encryption key, and thereby reset the incremental transmit packet number (nonce) and receive replay counter used by the encryption protocol. We show that an attacker can force these nonce resets by collecting and replaying retransmissions of message 3 of the 4-way handshake,” Vanhoef wrote. “By forcing nonce reuse in this manner, the encryption protocol can be attacked, e.g., packets can be replayed, decrypted, and/or forged. The same technique can also be used to attack the group key, PeerKey, TDLS, and fast BSS transition handshake.”
Vanhoef said an attacker could decrypt packets thereafter because the transmit nonces, or packet numbers, would be reset to zero and re-use the same crypto key over and over when encrypting packets.
“In case a message that reuses keystream has known content, it becomes trivial to derive the used keystream. This keystream can then be used to decrypt messages with the same nonce. When there is no known content, it is harder to decrypt packets, although still possible in several cases,” Vanhoef wrote. “In practice, finding packets with known content is not a problem, so it should be assumed that any packet can be decrypted.”
This puts TCP SYN packets at risk for decryption, allowing an attacker to injection malicious code into a stream, including malware such as ransomware into a site the victim visits. Vanhoef also cautioned that connections using WPA-TKIP or GCMP face “especially catastrophic” impacts. GCMP, he points out, is being rolled out as Wireless Gigabit and could be widely adopted shortly.
Vanhoef said Linux and Android systems are especially at risk because of their use of the wpa_supplicant 2.4 and higher, the most commonly used Wi-Fi client on Linux. In these instances, the client reinstalls an all-zero encryption key rather than the real key; Android 6.0 and above also is also vulnerable and trivial to exploit.
“This vulnerability appears to be caused by a remark in the Wi-Fi standard that suggests to clear the encryption key from memory once it has been installed for the first time,” Vanhoef said. “When the client now receives a retransmitted message 3 of the 4-way handshake, it will reinstall the now-cleared encryption key, effectively installing an all-zero key.”