An amazing piece of work by cybersecurity researcher Mathy Vanhoef of Belgian university, KU Leuven, has woken the world to an unprecedented vulnerability in WiFi network. In his paper, Vanhoef has successfully demonstrated that all the WiFi connection is potentially vulnerable to security flaw that hackers can use to snoop on internet traffic. Vanhoef discovered serious weaknesses in WPA2, a protocol that secures all modern protected Wi-Fi networks. In his paper, he claimed that an attacker within range of a victim Wifi network can exploit these weaknesses using key reinstallation attacks (KRACK).
With KRACK attack, they can read information that was previously assumed to be safely encrypted. This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. Vanhoef said “The attack works against all modern protected WiFi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites.”
Vanhoef said that the weaknesses are in the WiFi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected. To prevent the attack, users must update affected products as soon as security updates become available. “Note that if your device supports WiFi, it is most likely affected. During our initial research, we discovered ourselves that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others, are all affected by some variant of the attacks,” said Vanhoef.
After this, the US-CERT also announced several vulnerabilities in the WPA2 encryption implementation in clients and APs. This is the first known significant “crack in the code” to wireless networks in over 10 years.
Who is affected by KRACK?
Organisations (corporate enterprises, businesses, schools and universities, retail shops and restaurants, government agencies etc.) that have deployed WiFi networks using WPA2 encryption are affected by KRACK. When mobile users connect to these WiFi networks with smartphones, tablets, laptops, and other devices, they are exposed to these vulnerabilities. Both the 802.1x (EAP) and PSK (password) based networks are affected.
What is WPA2?
WPA2 (802.11i) is currently the standard for wireless link security in WiFi networks. It uses either 802.1x (EAP) or pre-shared key (password) based authentication. In 802.1x, the client is authenticated from a backend RADIUS server at the time of setting up a wireless connection. During the authentication process, the client and the RADIUS server generate at their ends a common master key. The master key is sent from the RADIUS server to the AP over a secure wired network. In PSK, the master key is installed in the client and the AP by entering the same passphrase (password) on both sides. The master key is then used to generate a hierarchy of “temporal keys” to be used for encryption and integrity protection for data sent over wireless link between the AP and the client. This cryptographic protection is using CCM protocol (CCMP) which uses AES-CTR encryption and AES-CBC for integrity protection.
How exactly does this KRACK vulnerability work?
Vulnerabilities have been discovered regarding how clients and APs implement state machines in software to implement WPA2 temporal key generation and transportation handshakes. The vulnerabilities can be exploited by manipulating certain handshake messages over the air. The exploit results into reuse of some packet numbers when handshakes are performed.
Reuse of packet numbers violates the fundamental principle on which the strength of WPA2 encryption and replay security is based. The principle is that for a given WPA2 temporal key, packet numbers in any two packet transmissions protected by the key must not be the same and the receiver must only accept a new packet if its packet number is higher than the most recently received packet. For packet pairs where the former part of the above principle is violated, it is possible to determine the content of one packet if the plaintext of the other packet is known or can be guessed. When the latter part of the above principle is violated, it permits adversary to replay old packets to the receiver.
What is the remedy for KRACK?
Of the 10 vulnerabilities disclosed, 9 are due to flaws in the client software implementation, and therefore must be fixed in the client device (phone, tablet, etc.). Most providers of handheld device operating systems are expected to issue a software update immediately that users should download and install. However, until those client devices have been patched, the wireless access point (AP) can provide mitigation for these vulnerabilities, by blocking the dangerous handshake messages that are known to trigger these vulnerabilities.