Monday, 23 October 2017
WPA2 vulnerability is a serious flaw in the wireless encryption protocol
Users are urged to continue using WPA2 pending the availability of a fix, experts have said, after security researchers went public with more information about a serious flaw in the wireless encryption protocol.
So-called Key Reinstallation Attacks, aka KRACK, potentially work against all modern protected Wi-Fi networks. Depending on the network configuration and the device targeted, it is possible to inject and manipulate data as well as eavesdrop on communications over the air. The only main limitation is that an attacker needs to be within range of a victim to exploit these weaknesses.
It affects WPA2 Personal and Enterprise, regardless of the encryption ciphers used by a network. It mostly affects Linux and Android 6.0 and above, as well as macOS and OpenBSD. Windows and iOS are more or less unaffected due to the way they implement WPA2. Gadgets from Cisco, Linksys and other networking gear makers are also vulnerable. You should obtain and install software patches as soon as possible, from your operating system vendor or hardware suppliers, to fix up the WPA2 design flaw.
Mathy Vanhoef of KU Leuven, one of the security researchers who discovered the specification blunder, warned that the security hole stems from a fundamental cryptographic weakness in the latest generation of wireless networking rather than a programming cockup.
Simply changing Wi-Fi network passwords is not going to help – software and firmware will need to be updated to workaround this deep design error:
The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected. To prevent the attack, users must update affected products as soon as security updates become available.
KRACK targets the four-way handshake of the WPA2 protocol and relies on tricking a victim's device into reusing an already-in-use key. This sleight of hand is achieved by manipulating and replaying cryptographic handshake messages.
“When the victim reinstalls the key, associated parameters such as the incremental transmit packet number (i.e. nonce) and receive packet number (i.e. replay counter) are reset to their initial value,” Vanhoef explained today on a microsite about the attack. “Essentially, to guarantee security, a key should only be installed and used once. Unfortunately, we found this is not guaranteed by the WPA2 protocol. By manipulating cryptographic handshakes, we can abuse this weakness in practice.”
An attacker can force these nonce resets by collecting and replaying retransmissions of message three of the four-way handshake.
A nonce is a number that is not necessarily a secret but is meant only to be used once and never repeated. The flaw in WPA2 allows a nonce to be – or forced to be – repeated, thus allowing an attacker to extract the WPA2 session key and decrypt and compromise all wireless traffic for that session.
As a proof-of-concept, Vanhoef has published a demonstration of how a key reinstallation attack might be carried out against an Android smartphone. Android and Linux are particularly susceptible to the WPA2 flaw because a bug in the platform's widely used wpa_supplicant tool zeroes the key during the eavesdropping, thus the Wi-Fi traffic can be trivially decrypted.
In short, other than Windows and iOS, the vulnerability can be exploited on various operating systems, computers and devices to decrypt any information transferred over the air that isn't already encrypted with HTTPS, TLS, a VPN tunnel, or similar.