A devastating weakness plagues the WPA2 protocol used to secure all modern Wi-Fi networks, and it can be abused to decrypt traffic from enterprise and consumer networks with varying degrees of difficulty.

Not only can attackers peek at supposedly encrypted traffic to steal credentials and payment card data, for example, but in some setups, a third party could also inject malicious code or manipulate data on the wireless network.

Some vendors have already issued security updates and users are advised to patch immediately. U.S. CERT has published a list of affected vendors, but users should note the list is not comprehensive.

News of the issue emerged over the weekend and had even the most cynical observers on edge. Discovered and disclosed by Belgian researcher Mathy Vanhoef of The Katholieke Universiteit Leuven (KU Leuven), the attack can be carried out by someone within range of the victim’s local network using key re-installation attacks, also known as KRACK.

“The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations,” Vanhoef wrote in an advisory published today. “Therefore, any correct implementation of WPA2 is likely affected.”

More details are available in a video, below, and in a research paper also published today called a “Key Resinstallation Attacks: Forcing Nonce Reuse in WPA2,” scheduled to be formally presented Nov. 1 at the Computer and Communications Security (CCS) conference and at Black Hat Europe.

Vanhoef said he began privately notifying vendors of products he had tested around July 14 and quickly learned the scale of this issue was in the protocol rather than limited to specific implementations. CERT/CC made a “broad notification” to vendors on Aug. 28, Vanhoef said. He added that OpenBSD has already silently patched the weakness, which Vanhoef said he regretted because he feared attackers could reverse engineer the patch before others had an opportunity to release their fixes.

“To avoid this problem in the future, OpenBSD will now receive vulnerability notifications closer to the end of an embargo,” he wrote.

The attack concentrates on the four-way handshake carried out when clients join WPA2 networks. It’s here where pre-shared network passwords are exchanged authenticating the client and access point and also where a fresh encryption key is negotiated that will be used to secure subsequent traffic. It is at this step where the key reinstallation attack takes place; an attacker on the network is able to intercede and replay cryptographic handshake messages, bypassing a mandate where keys should be used only once.

The weakness occurs when messages during the handshake are lost or dropped—a fairly common occurrence—and the access point retransmits the third part of the handshake, theoretically multiple times.

“Each time it receives this message, it will reinstall the same encryption key, and thereby reset the incremental transmit packet number (nonce) and receive replay counter used by the encryption protocol. We show that an attacker can force these nonce resets by collecting and replaying retransmissions of message 3 of the 4-way handshake,” Vanhoef wrote. “By forcing nonce reuse in this manner, the encryption protocol can be attacked, e.g., packets can be replayed, decrypted, and/or forged. The same technique can also be used to attack the group key, PeerKey, TDLS, and fast BSS transition handshake.”

Vanhoef said an attacker could decrypt packets thereafter because the transmit nonces, or packet numbers, would be reset to zero and re-use the same crypto key over and over when encrypting packets.

“In case a message that reuses keystream has known content, it becomes trivial to derive the used keystream. This keystream can then be used to decrypt messages with the same nonce. When there is no known content, it is harder to decrypt packets, although still possible in several cases,” Vanhoef wrote. “In practice, finding packets with known content is not a problem, so it should be assumed that any packet can be decrypted.”

This puts TCP SYN packets at risk for decryption, allowing an attacker to injection malicious code into a stream, including malware such as ransomware into a site the victim visits. Vanhoef also cautioned that connections using WPA-TKIP or GCMP face “especially catastrophic” impacts. GCMP, he points out, is being rolled out as Wireless Gigabit and could be widely adopted shortly.

Vanhoef said Linux and Android systems are especially at risk because of their use of the wpa_supplicant 2.4 and higher, the most commonly used Wi-Fi client on Linux. In these instances, the client reinstalls an all-zero encryption key rather than the real key; Android 6.0 and above also is also vulnerable and trivial to exploit.

“This vulnerability appears to be caused by a remark in the Wi-Fi standard that suggests to clear the encryption key from memory once it has been installed for the first time,” Vanhoef said. “When the client now receives a retransmitted message 3 of the 4-way handshake, it will reinstall the now-cleared encryption key, effectively installing an all-zero key.”

Categories: Privacy, Vulnerabilities

Comments (7)

  1. Dr. Hilliard Haliard

    Note that you’re not like Wile E. Coyote stepping off a cliff, but not starting to fall until realizing that there’s nothing under his feet. You’re not suddenly insecure, but were always insecure, just as with any other catastrophic vulnerability that’s been there for years. Who knows what other disastrous flaws are making your emails and your porn preferences accessible to anyone interested in them?

  2. Adam

    If I a reading this correctly, the attacker has to be on the wireless network in order to take advantage of this vulnerability. Is that an accurate statement, or am I misunderstanding?

  3. Harsh

    @Adam The attacker does not have to be on the same network but he has to be within the wifi networks range

  4. Peter Roe

    Fixing network access to known Mac addresses will fix this temporarily until the wireless protocols can be upgraded.

    • CaptainObvious

      You clearly don’t understand the concept of this flaw. Someone could decrypt wireless traffic and get MAC addresses and wifi credentials. So there goes your idea right out the window. MAC address isn’t some sort of secret either.

  5. Anonymous

    Mac addresses are easily sniffed when in range, thus MAC spoofing would be easy.

Comments are closed.