WPA2, a protocol that secures modern protected Wi-Fi networks, sports serious weaknesses that can allow attackers to read and capture information that users believe to be encrypted (e.g. passwords, payment card numbers, etc.).
“Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites,” says Mathy Vanhoef, a postdoc at Belgian University of Leuven, who discovered the weaknesses and led the research.
He also came up with KRACK, i.e. key reinstallation attack, to exploit the flaws.
The KRACK attack
To understand how the attack works, one must understand how a client joining a protected Wi-Fi network receives an encryption key needed for safe communication.
“When a client joins a network, it executes the 4-way handshake to negotiate a fresh encryption key. It will install this key after receiving message 3 of the 4-way handshake. Once the key is installed, it will be used to encrypt normal data frames using an encryption protocol,” Vanhoef explained.
“However, because messages may be lost or dropped, the Access Point (AP) will retransmit message 3 if it did not receive an appropriate response as acknowledgment. As a result, the client may receive message 3 multiple times. Each time it receives this message, it will reinstall the same encryption key, and thereby reset the incremental transmit packet number (nonce) and receive replay counter used by the encryption protocol.”
These key reinstallation can occur spontaneously if the last message of a handshake is lost due to background noise, so a re-transmission of the previous message is needed. “When processing this retransmitted message, keys may be reinstalled, resulting in nonce reuse just like in a real attack,” Vanhoef noted.
But this same result can be forced by an attacker who managed to achieve a Man-in-the-Middle position.
“In a key reinstallation attack, the adversary tricks a victim into reinstalling an already-in-use key. This is achieved by manipulating and replaying cryptographic handshake messages. When the victim reinstalls the key, associated parameters such as the incremental transmit packet number (i.e. nonce) and receive packet number (i.e. replay counter) are reset to their initial value,” Vanhoef added.
“Essentially, to guarantee security, a key should only be installed and used once. Unfortunately, we found this is not guaranteed by the WPA2 protocol. By manipulating cryptographic handshakes, we can abuse this weakness in practice. We show that an attacker can force these nonce resets by collecting and replaying retransmissions of message 3 of the 4-way handshake. By forcing nonce reuse in this manner, the encryption protocol can be attacked, e.g., packets can be replayed, decrypted, and/or forged.”
Several types of cryptographic Wi-Fi handshakes are affected by the attack: Four-way, Group Key, PeerKey, TDLS, and fast BSS Transition. The different CVE numbers assigned to the vulnerability reflect specific instantiations of the KRACK attack, so that it’s easier to track which products are affected by which instantiation.
The KRACK attack can be aimed at many different devices running a variety of OSes.
“Our attack is especially catastrophic against version 2.4 and above of wpa_supplicant, a Wi-Fi client commonly used on Linux. Here, the client will install an all-zero encryption key instead of reinstalling the real key,” Vanhoef noted.
Android also uses wpa_supplicant, and all Android versions higher than 6.0 are affected by the attack, as demonstrated in this video:
The found weaknesses are in the Wi-Fi standard, so any correct implementation of WPA2 is likely affected. Also, chances are good that if your device supports Wi-Fi, it is affected.
On the other hand, the KRACK attack has its limitations. For one, the attack can’t be deployed by remote attackers – they have to be within the wireless communications range of an affected AP and the victim client.
Secondly, Web sites that correctly implement SSL/TLS (HTTPS) are still secure in theory, as the users’ browser negotiates a separate encryption layer. Alas, there are sites out there who have this protection improperly configured and, as Vanhoef noted, there are many instances in which HTTPS protection can be bypassed.
Risk mitigation and attack prevention
“Luckily, [WPA2] implementations can be patched in a backwards-compatible manner,” Vanhoef added.
“This means a patched client can still communicate with an unpatched access point, and vice versa. In other words, a patched client or access points sends exactly the same handshake messages as before, and at exactly the same moments in time. However, the security updates will assure a key is only installed once, preventing our attacks. So again, update all your devices once security updates are available.”
The good news is that some vendors have already begun pushing out the patches, and most of them are expected to offer a patch in the very near future. Google said that they will be patching any affected devices “in the coming weeks.”
It is on users and administrators to implement those patches as soon a possible.
“Our main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients. So it might be that your router does not require security updates,” the researcher explained.
“In general though, you can try to mitigate attacks against routers and access points by disabling client functionality (which is for example used in repeater modes) and disabling 802.11r (fast roaming). For ordinary home users, your priority should be updating clients such as laptops and smartphones.”
CERT/CC offers a list of vendors whose products are affected, but keep in mind it is unlikely to be definitive.
As a temporary risk mitigation, smartphone owners could also switch to using mobile data instead of Wi-Fi when connecting to sites that handle sensitive information (e.g. online banking sites, dating sites, etc.). Connecting your computers to the Internet via a wired ethernet connection instead of Wi-Fi until you can install the needed patches might also be a good idea.