Key Reinstallation Attacks (KRACK) affecting WPA Protocol – Advisory

Hacking, Network security, Vulnerability Notification Leave a comment

Summary

On October 16th, several vulnerabilities affecting the Wi-Fi Protected Access II (WPA2) protocol were disclosed by security researchers in coordination with the U.S CERT. The WPA2 protocol, also known as IEEE 802.11i-2004, was designed and implemented as a replacement for the insecure Wired Equivalent Privacy (WEP) protocol. WPA2 is widely used to secure personal and corporate Wi-Fi networks around the world.

The vulnerabilities disclosed, collectively named Key Reinstallation Attacks (KRACK), allow a potential attacker to decrypt network traffic, and in certain scenarios, inject forged packets into existing network connections. The attacks described do not expose the WPA2 password, thus it’s not necessary for clients to change these passwords.

The vulnerabilities have wide-ranging impact across different vendors, configurations, and against clients (end-user systems) and Wireless Access Points (WAPs). Most wireless devices and WAPs are impacted in varying ways and with different criticalities. The most common configurations of WPA2 allow attackers to at least decrypt messages sent between the client and the WAP.

The impact of the vulnerabilities on end-user WI-FI client devices and WAPs varies wildly based on several factors. Additional information on the impact for different vendors, configurations, and implementations is available in the “versions affected” section of this advisory.

While the impact of these vulnerabilities is wide-ranging and in some cases, critical, it’s important to clarify that these issues are fixable and that there is no public exploit code for these vulnerabilities (at the time of writing). The U.S CERT has been coordinating with vendors (of both end-user devices and WAPs) to ensure patches are developed and released to mitigate these potential attacks.

Additionally, some client side implementations of the WPA standards, such as Microsoft Windows operating systems and Apple iOS, are not vulnerable to most of the attacks. Several vendors, including Aruba, Meraki, and Google, as well as several Linux distributions have already released patches to mitigate these vulnerabilities for both WAPs and WI-FI clients.

Description

The attacks mostly target the 4-way handshake used by WPA and WPA2. This handshake is used when clients want to join protected WI-FI networks. The 4-way handshake is used to confirm that the client and the WAP both have the correct credentials (passwords or certificates) and to negotiate encryption settings (such as encryption keys) that will be used for the duration of the session.

In one of the KRACK attacks described by the researchers, an attacker would trick a victim’s device into re-installing an already used key by capturing and replaying the 3rd message of the WPA2 handshake. When a victim’s device reinstalls the key, several cryptographic parameters are reset to their initial values. The reset of these values makes it trivial for attackers to decrypt messages that are sent with the same key.

Some of the attacks described by researchers could also allow for packets to be forged and injected into existing sessions. However, the feasibility of injecting packets is highly dependent on the WPA cipher suites and features being used, and on the WI-FI client’s implementation of the WPA protocol.

Additionally, If the WPA2 implementation allows for forged packet injection, it’s possible for attackers to “man in the middle” (MITM) WI-FI traffic. Using MITM, attackers could potentially inject malicious code into existing HTTP sessions in order to execute malicious code on end-user endpoints. Attackers can also leverage MITM positions and tools such as “SSLStrip” to remove HTTPs (TLS) encryption from misconfigured websites and capture login credentials. However, packet injection requires that WPA2 be configured non-default cipher suites and that the WI-FI client implementation is vulnerable.

Below are the CVEs assigned to the disclosed vulnerabilities. All these vulnerabilities refer to the same type of attack (KRACK) but affect distinct set of encryption protocols and WPA configurations:

  • CVE-2017-13077: Reinstallation of the pairwise encryption key (PTK-TK) in the 4-way handshake.
  • CVE-2017-13078: Reinstallation of the group key (GTK) in the 4-way handshake.
  • CVE-2017-13079: Reinstallation of the integrity group key (IGTK) in the 4-way handshake.
  • CVE-2017-13080: Reinstallation of the group key (GTK) in the group key handshake.
  • CVE-2017-13081: Reinstallation of the integrity group key (IGTK) in the group key handshake.
  • CVE-2017-13082: Accepting a retransmitted Fast BSS Transition (FT) Reassociation Request and reinstalling the pairwise encryption key (PTK-TK) while processing it.
  • CVE-2017-13084: Reinstallation of the STK key in the PeerKey handshake.
  • CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake.
  • CVE-2017-13087: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
  • CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.

Affected Versions

The vulnerabilities disclosed today exist in the Wi-Fi standard itself, not in any individual product or implementation. Therefore, any implementation of WPA2 is most likely affected by at least one of these vulnerabilities. The attacks work against WPA and WPA2 and have varying levels of impact based on the cipher suites and WPA features being used.

The WPA protocol includes support for several different cipher suites and features. The section below describes the impact of these attacks on different cipher suites available for WPA2:

KRACK attack’s impact on WPA2 cipher suites:

  • WPA2–AES-(CCPM) (most common implementation) – WPA2 AES-CCMP is the most common implementation of WPA2 and default on most home and enterprise Wireless Access Points. In this configuration, attackers can replay and decrypt messages sent from the WI-FI Client to the WAP. However, attackers must “clone” the MAC address (BSSID) of an access point on the target network and force the client onto a different WI-FI channel before they can capture and decrypt packets.[1]
  • WPA2-TKIP – WPA2 with Temporal Key Integrity Protocol (TKIP) is an encryption scheme with several known security weaknesses and not recommended or enabled by default. WPA2-TKIP is vulnerable to replay, decryption, and forged packet injection. In this mode, it’s possible for attackers to inject forged packets into existing sessions and run malicious code on impacted end-user devices (WI-FI clients) if the WI-FI clients are vulnerable.
  • WPA2-GCMP – WPA2 with Galois/Counter Mode Protocol (GCMP) is the most impacted. This configuration is vulnerable to replay, decryption, and forged packet injection. Additionally, attackers can forge packets in both directions (to the client or to the WAP).

Different WI-FI clients (such as end-user devices) have different implementations of the WPA2 protocol, some of which are vulnerable to different types of attacks. The section below describes the impact of these types of attacks against WI-FI client implementations.

WI-FI client implementations and vulnerabilities:

  • Microsoft Windows (7 & 10) – The Microsoft Windows implementation of the WPA2 standard makes it resilient against most of the attacks described by the researchers. Microsoft Windows is not vulnerable to packet decryption or forging.
  • macOS Sierra (10.12) & High Sierra (10.13) – The Apple macOS implementation of the WPA2 standard makes it possible for attackers to replay, decrypt, and inject forged packets into existing network connections. [2]
  • Google Android Marshmallow (6.0), Nougat (7.0), and Oreo (8.0) – Recent versions of the Google Android mobile operating system are the most impacted. The Android implementation of the WPA2 standard allows attackers to “resend” a WPA2 key that is a predictable all-zero encryption key. This allows attackers to replay, decrypt, and inject forged packets into existing network connections.2. Google has already issued patches for Android.
  • Linux & Unix Operating Systems – Most Linux and Unix operating systems are impacted. The level of impact is the same as Android described above. The Linux / Unix implementation of the WPA2 standard (known as wpa_supplicant) allows attackers to “resend” a WPA2 key that is a predictable all-zero encryption key and thus replay, decrypt, and inject forged packets into existing network connections. 2
  • Apple iOS 10.x and 11.x – Similar to Microsoft Windows, the Apple iOS implementation of the WPA protocol makes it resilient against most the attacks described by the researchers. Apple iOS is not vulnerable to packet decryption or forging.

Mitigation and Response

Kudelski Security recommends that client’s reach out to their Wireless Access Point (WAP) and WI-FI client vendors about potential patches or mitigations and patch their WAPs and end user systems (WI-FI clients) as soon as possible. The U.S CERT is tracking remediation and patching efforts across several different vendors (both WAP vendors and WIFI-Clients such as Apple macOS or Google Android). The data is available here:

https://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=228519&SearchOrder=4

Major vendors of Wireless Access Points (such as Meraki, Aruba, Cisco, etc) have already released software updates to remediate these vulnerabilities on their WAPs. Note that WPA2 implementations can be patched in a backwards-compatible manner, meaning that a patched client can still communicate with an unpatched access point and vice versa. Note that these attacks do not allow attackers to recover the WPA2 password, so it is not necessary to change the password after patching the devices.

Additionally, Kudelski Security highly encourages that all clients disable WPA2-TKIP and WPA2-GCMP as these WPA2 cipher suites are especially vulnerable to the attacks and allow attackers inject forged packets into existing sessions. Kudelski Security recommends that clients configure their Wireless Access Points (WAPs) to use WPA2 enterprise with AES and patch their end-user systems as soon as possible.

The Kudelski Security Cyber Fusion Center will continue to work closely with our vendor partners to identify methods of detecting these attacks in order to alert our clients.

Sources

Researcher’s page describing the vulnerability and linking to the research paper:

https://www.krackattacks.com/

Research Paper:

https://papers.mathyvanhoef.com/ccs2017.pdf

Aruba Networks patch information:

http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-007_FAQ_Rev-1.pdf

U.S CERT vulnerability description:

https://www.kb.cert.org/vuls/id/228519

U.S CERT remediation efforts tracker:

https://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=228519&SearchOrder=4

[1] The attacker’s ability to decrypt packets is highly dependent on the WI-FI client’s implementation of WPA2. More information about WI-FI clients and their vulnerability to these attacks is found in the “WI-FI client implementations and vulnerabilities” section of this document.

[2] The attacker’s ability to inject packets into existing connections requires that the Wireless Access Point (WAP) be configured with a WPA2 non-default cipher suite that is vulnerable to packet injection, such as WPA2-TKIP or WPA2-GCMP

Leave a Reply