Devastating flaw puts almost every wi-fi network at risk

A major security issue at the heart of the WPA2 security protocol that underpins most modern wi-fi networks has put almost all personal and enterprise wireless-enabled devices and networks at risk of attack.

Security researcher Matty Vanhoef discovered and today published detail of the so-called KRACK (key reinstallation attack) flaw, which he found can be abused to steal sensitive data like credit card numbers, passwords, emails, photos and chat messages, as well as corporate information.

Given the weakness lives in the WPA2 encryption protocol as opposed to specific implementations or products, any correct implementation of the standard is likely to be impacted by the security issue.

The KRACK attack works against both the older WPA and currently recommended WPA2 protocols; the GCMP, AES-CCMP, and WPA-TKIP ciphers; and personal and enterprise networks, Vanhoef found.

"The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others," US-CERT warned vendors on August 28.

"Note that as protocol-level issues, most or all correct implementations of the standard will be affected."

The vulnerability poses a big problem for businesses who operate local wi-fi networks and assume they are trusted environments; enterprises with authentication-free network resources, as an example, are specifically at great risk.

How does it work?

In simple terms, an attacker can adopt a man-in-the-middle position and force access points and client devices to reinstall the encryption key used by the WPA2 protocol to protect traffic.

The weakness lies in the third step of the four-way handshake the protocol uses to authenticate devices onto the network.

As part of this handshake, a fresh encryption key is negotiated and used to encrypt traffic.

The KRACK attack allows an attacker to trick a victim device into reinstalling an already-negotiated encryption key.

WPA2 does not specify keys can only be used and installed once in case packets get lost in transmission; an access point will transmit the third message - containing the key - each time it doesn't receive an adequate response from the client device.

This means an attacker can force a replay of the third step in the handshake process and reset the keystream back to its starting condition.

A successful KRACK attack would allow an adversary to not only decrypt network traffic from a victim device on a WPA/2 network, but also to hijack connections and in some cases inject malware or ransomware into unencrypted HTTP connections - such as websites visited by the victim device.

Android, Linux worst hit

Apple, Windows, Android, OpenBSD, Linux and a range of router vendors are affected by the flaw.

Android and Linux are especially vulnerable because they use the wpa-supplicant client that can be exploited to install an encryption key with a value of 0 instead of reinstalling the real one.

This allows the attacker to easily ascertain the key, set up a fake wi-fi access point and establish a man-in-the-middle position for all traffic.

Vanheof said 41 percent of Android devices were vulnerable to this type of attack.

iOS and Windows don't accept retransmissions of the third message in the four-way handshake, which although goes against the WPA2 protocol, fortuitously protects against a KRACK attack.

MacOS and OS X, however, are vulnerable, Vanhoef found.

Patches and mitigation

The vulnerabilities exploited by the KRACK attack are being monitored through a number of CVEs, specifically CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084, CVE-2017-13086, CVE-2017-13087, and CVE-2017-13088.

Vanhoef said he notified several vendors and the US CERT on July 14. A broader warning was sent out by the CERT to more vendors on August 28.

OpenBSD has silently patched the vulnerability. Microsoft has also reportedly issued a patch for supported versions of Windows..

Detail on further patches is currently unclear. US-CERT has listed those impacted as well as their responses.

Since attackers do not need to know a wi-fi network password to successfully carry out a KRACK attack, changing this credential won't mitigate against it.

Wi-fi network operators and users are instead forced to wait for device vendors to provide firmware updates that patch against the vulnerability.

An attacker also needs to directly connect with the wi-fi access point to execute the attack, and therefore be within physical proximity of the device. Remote and large-scale attacks are not possible.

Communication over HTTPS is unaffected by the WPA2 vulnerability and cannot be decrypted.

Users are advised to use sites and services such as HTTPS that encrypt data from the browser to the server, and implement patches as soon as they become available.

The Wi-Fi Alliance has detailed a plan to remedy the vulnerabilities with vendors, Vanhoef said.