The KRACK attack allows an attacker to decrypt information included in protected WPA2 traffic. WPA2 standard has been compromised!
Boffins have discovered several key management flaws in the core of Wi-Fi Protected Access II (WPA2) protocol that could be exploited by an attacker to hack into Wi-Fi network and eavesdrop on the Internet communications stealing sensitive information (i.e. credit card numbers, passwords, chat messages, emails, and pictures).
WPA2 standard has been compromised, the flaws, in fact, reside in the Wi-Fi standard itself, and not in the numerous implementations.
The impact could be serious for both companies and home users, any working implementation of WPA2 is likely affected, the only limitation is that an attacker needs to be within the range of a victim to exploit the weaknesses.
The researchers devised an attack method dubbed KRACK attack (Key Reinstallation Attack), it works against almost any WPA2 Wi-Fi network.
The KRACK attack allows attackers to decrypt WiFi users’ data without cracking or knowing the password.
According to the researchers, the KRACK attack works against:
- Both WPA1 and WPA2,
- Personal and enterprise networks,
- Ciphers WPA-TKIP, AES-CCMP, and GCMP
Initially, the researchers discovered that the vulnerabilities affect Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys.
The vulnerabilities were found by the Belgian researcher Mathy Vanhoef of imec-DistriNet, KU Leuven.
The KRACK attack works by exploiting a 4-way handshake of the WPA2 protocol that’s used to establish a key for encrypting traffic.
“When the victim reinstalls the key, associated parameters such as the incremental transmit packet number (i.e. nonce) and receive packet number (i.e. replay counter) are reset to their initial value,” explained Vanhoef. “Essentially, to guarantee security, a key should only be installed and used once. Unfortunately, we found this is not guaranteed by the WPA2 protocol. By manipulating cryptographic handshakes, we can abuse this weakness in practice.”
The attacker just needs to trick a victim into re-installing an already-in-use key, which is achieved by manipulating and replaying cryptographic handshake messages.
The experts demonstrated how to execute the key reinstallation attack against an Android smartphone in order to decrypt a transmission over a protected WiFi.
According to the experts, the attack is exceptionally effective against Linux and Android 6.0 or higher, because “Android and Linux can be tricked into (re)installing an all-zero encryption key (see below for more info).”
“Although websites or apps may use HTTPS as an additional layer of protection, we warn that this extra protection can (still) be bypassed in a worrying number of situations. ” added the expert.
“Adversaries can use this attack to decrypt packets sent by clients, allowing them to intercept sensitive information such as passwords or cookies.” the researcher say.
“Decryption of packets is possible because a key reinstallation attack causes the transmit nonces (sometimes also called packet numbers or initialization vectors) to be reset to zero. As a result, the same encryption key is used with nonce values that have already been used in the past,”
Below the full list of WPA2 Vulnerabilities discovered in the WPA2 protocol.
- CVE-2017-13077: Reinstallation of the pairwise encryption key (PTK-TK) in the 4-way handshake.
- CVE-2017-13078: Reinstallation of the group key (GTK) in the 4-way handshake.
- CVE-2017-13079: Reinstallation of the integrity group key (IGTK) in the 4-way handshake.
- CVE-2017-13080: Reinstallation of the group key (GTK) in the group key handshake.
- CVE-2017-13081: Reinstallation of the integrity group key (IGTK) in the group key handshake.
- CVE-2017-13082: Accepting a retransmitted Fast BSS Transition (FT) Reassociation Request and reinstalling the pairwise encryption key (PTK-TK) while processing it.
- CVE-2017-13084: Reinstallation of the STK key in the PeerKey handshake.
- CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake.
- CVE-2017-13087: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
- CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
The experts discovered the flaws last year and notified several vendors on July 14, the US-CERT also issued an alert to hundreds of vendors on 28 August 2017.
“US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol. The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others. Note that as protocol-level issues, most or all correct implementations of the standard will be affected. The CERT/CC and the reporting researcher KU Leuven, will be publicly disclosing these vulnerabilities on 16 October 2017.” the US-CERT warned.
Further details on the KRACK attack are included in the research paper titled “Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2”