Critical vulnerabilities in WPA2 protocol detected - Key Reinstallation Attacks (KRACK)

Published on October 16, 2017

Critical vulnerabilities in WPA2 protocol detected - Key Reinstallation Attacks (KRACK)


     
    A team of researchers found serious flaws in the WPA2 protocol, which provides protection for all modern Wi-Fi networks. An attacker in the victim’s area can exploit these flaws using Key Reinstallation Attacks. Attackers can use this new attack method to read information that was previously considered encrypted.

    UPD: the post has been updated with partial attack details and a list of vendor updates.

    Vulnerabilities in WPA2 allow you to bypass protection and listen to Wi-Fi traffic transmitted between the access point and the computer. They are assigned the following CVE identifiers:

    • CVE-2017-13077 : Reinstallation of the pairwise encryption key (PTK-TK) in the 4-way handshake.
    • CVE-2017-13078 : Reinstallation of the group key (GTK) in the 4-way handshake.
    • CVE-2017-13079 : Reinstallation of the integrity group key (IGTK) in the 4-way handshake.
    • CVE-2017-13080 : Reinstallation of the group key (GTK) in the group key handshake.
    • CVE-2017-13081 : Reinstallation of the integrity group key (IGTK) in the group key handshake.
    • CVE-2017-13082 : Accepting a retransmitted Fast BSS Transition (FT) Reassociation Request and reinstalling the pairwise encryption key (PTK-TK) while processing it.
    • CVE-2017-13084 : Reinstallation of the STK key in the PeerKey handshake.
    • CVE-2017-13086 : reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake.
    • CVE-2017-13087 : reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
    • CVE-2017-13088 : reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.

    In a key reinstallation attack, the adversary tricks a victim into reinstalling an already-in-use key. This is achieved by manipulating and replaying cryptographic handshake messages. When the victim reinstalls the key, associated parameters such as the incremental transmit packet number (ie nonce) and receive packet number (ie replay counter) are reset to their initial value. Essentially, to guarantee security, a key should only be installed and used once. Unfortunately, we found this is not guaranteed by the WPA2 protocol. By manipulating cryptographic handshakes, we can abuse this weakness in practice.

    As a Proof-of-Concept, a video has been provided on which an attack on an Android smartphone has been demonstrated:



    Researchers have created a site on which in the near future they promise to publish more detailed attack details. A repository has also been created (so far empty).

    Some manufacturers are already aware of the problem:
    US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol. The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others. Note that as protocol-level issues, most or all correct implementations of the standard will be affected. The CERT / CC and the reporting researcher KU Leuven, will be publicly disclosing these vulnerabilities on 16 October 2017.

    The technical details of the attack are partially disclosed by an article by one of the researchers: papers.mathyvanhoef.com/ccs2017.pdf

    Disclosure of information about the attack is scheduled for today, October 16, 2017. As information becomes available, the post will be updated.

    UPD:
    The attack works against frequent and corporate Wi-Fi networks, against outdated WPA and the latest WPA2 standard, and even against networks that use exclusively AES. All our attacks targeting WPA2 use an innovative key reinstallation technique, ”wrote the authors of KRACK.

    Essentially, KRACK allows an attacker to carry out a man-in-the-middle attack and force network members to re-install encryption keys that protect WPA2 traffic. In addition, if the network is configured to use WPA-TKIP or GCMP, an attacker can not only listen to WPA2 traffic, but also inject packets into the victim’s data.

    The KRACK method is universal and works against any devices connected to a Wi-Fi network. That is, absolutely all users of Android, Linux, iOS, macOS, Windows, OpenBSD, as well as numerous IoT devices are in danger.

    According to the researchers, the exploit will not be published until most vendors release the update.

    Check for the presence / absence of a patch for a specific vendor hereor on the manufacturer’s homepage.