In this article we will learn The KRACK attack – An Earthquake for Wi-Fi Security.
A group of security researchers has discovered several serious key management vulnerabilities in the core of the Wi-Fi Protected Access II (WPA2) protocol that an attacker could exploit to hack into a Wi-Fi network and eavesdrop on Internet connections. Attacks can steal sensitive information such as credit card numbers, passwords, chat messages, emails and images.
The flaws in The KRACK attack were discovered by Belgian researcher Mathy Vanhoef from imec-DistriNet, KU Leuven, who published a detailed article (called “Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2”) that describes an attack method called a KRACK attack (Key Reinstallation Attack). .
The hacking technique proposed by the researchers works against almost any WPA2 Wi-Fi network because the problems lie with the WPA2 Wi-Fi standard itself and not with the various implementations, meaning that WPA2 has been compromised.
The impact can be severe for both companies and home users, any working WPA2 implementation is likely to be affected, the only limitation being that an attacker must be within range of the victim to exploit the weaknesses.
“We discovered serious weaknesses in WPA2, the protocol that secures all modern protected Wi-Fi networks. An attacker in range of the victim can exploit these weaknesses using key reinstallation attacks (KRACKs),” according to a post published by Vanhoef. “Attackers can specifically use this new attack technique to read information that was previously thought to be securely encrypted. The KRACK attack can be exploited to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos and so on. The attack works against all modern protected Wi-Fi networks.”
Also read about The KRACK attack related:The Rise of MBR Ransomware-by Blackhat Pakistan 2023
The KRACK attack:
The KRACK attack allows attackers to decrypt the traffic of WiFi users without cracking or knowing the password; experts pointed out that depending on the network configuration, it is also possible to insert and manipulate data. An attacker can perform a KRACK attack and inject malware such as ransomware or other malicious code into websites.
The researchers explained that the KRACK attack works against:
- WPA1 and WPA2,
- Personal and corporate networks,
- WPA-TKIP, AES-CCMP and GCMP ciphers
When the researchers started their tests of the hacking technique, they found that the vulnerabilities affect various operating systems, computers and devices such as Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys.
CERT/CC published a detailed list of devices affected by some variant of the attacks.
The KRACK attack works by exploiting the WPA2 4-way handshake that is used to generate a key to encrypt traffic.
This handshake is performed every time a client connects to a protected Wi-Fi network; it is a mechanism used to confirm that both the client and the access point have the correct credentials (eg a pre-shared network password). The four-way handshake is also used to negotiate a new encryption key that will be used to encrypt all subsequent traffic.
“When the victim re-installs the key, related parameters such as the incremental number of the transmitted packet (i.e. nonce) and the number of the received packet (i.e. replay counter) are reset to their original value,”
Vanhoef explained. “To ensure security, the key should be installed and used only once. Unfortunately, we found that WPA2 does not guarantee this. By manipulating cryptographic handshakes, we can exploit this weakness in practice.”
The KRACK attack exploits the attacker’s ability to trick victims into reinstalling an already used key, which is achieved by manipulating and replaying cryptographic handshake messages.
Experts demonstrated how to perform a key reinstallation attack against an Android smartphone to decrypt transmission over protected WiFi.
The researchers explained that the KRACK attack is exceptionally effective against Linux and Android 6.0 or higher because it is relatively easy for attackers to reinstall an already used key.
“It’s easy for an attacker because our key reinstallation attack is exceptionally devastating against Linux and Android 6.0 or higher. This is because Android and Linux can be tricked into (re)installing an all-zero encryption key (see below for more info). When attacking other devices, it is more difficult to decrypt all packets, although a large number of packets can be decrypted. Anyway, the following example highlights the type of information an attacker can obtain when performing key re-installation attacks against protected Wi-Fi networks,” the expert explained.
“While a website or application may use HTTPS as an additional layer of protection, please note that this special protection can (still) be bypassed in many troubling situations.”
“Adversaries can use this attack to decrypt packets sent by clients, allowing them to capture sensitive information such as passwords or cookies.” said the researcher.
“Packet decryption is possible because a key reinstallation attack causes broadcast nonces (sometimes called packet numbers or initialization vectors) to zero. The result is that the same encryption key is used with nonce values that have already been used in the past.”
As perfectly summarized by Sean Gallagher at Ars Technica, depending on the type of handshake mechanism used between the devices and the access point, a KRACK attack can cause different levels of damage:
For connections using AES and Counter with CBC-MAC ((AES)-CCMP), an attacker could exploit the vulnerability to decrypt traffic and inject content into TCP packet streams. In this attack scenario, the attacker cannot break the key or falsify it, cannot connect to the network, but should use a “cloned” access point with the same MAC address as the access point of the target network, on a different Wi-Fi channel.
For WPA2 systems using Temporal Key Integrity Protocol (TKIP), an attacker can obtain the Message Integrity Code key. An attacker can replay the captured packets to the network, forge and transmit new packets to a target client posing as an access point.
For devices that use the Galois/Counter Mode Protocol (GCMP), the attack is at its worst: “Packets can be replayed and decrypted,” Vanhoef and Piessens wrote. “Additionally, it is possible to recover the authentication key that is used in GCMP to protect both directions of communication [as a client or access point]… so unlike TKIP, an adversary can spoof packets in both directions.” This means that an attacker can essentially connect to a network and pretend to be a client or an access point, depending on the type of access they want. “Given that GCMP is expected to be widely adopted under the name WiGig in the next few years, this is a worrying situation,” the researchers noted.
Below is a complete list of WPA2 security vulnerabilities found in the WPA2 protocol.
- CVE-2017-13077: Pairwise encryption key (PTK-TK) reinstallation in 4-way handshake.
- CVE-2017-13078: Group key (GTK) reinstallation in 4-way handshake.
- CVE-2017-13079: Integrity Group Key (IGTK) reinstallation in 4-way handshake.
- CVE-2017-13080: Group key (GTK) reinstallation in group key handshake.
- CVE-2017-13081: Reinstalling Integrity Group Key (IGTK) in Group Key handshake.
- CVE-2017-13082: Receiving a retransmitted BSS Fast Transition (FT) Reassociation and Paired Encryption Key (PTK-TK) reinstallation request when processing it.
- CVE-2017-13084: Reinstall STK key in PeerKey connection establishment.
- CVE-2017-13086: Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) reinstallation in TDLS handshake.
- CVE-2017-13087: Group Key (GTK) reinstallation when processing a Wireless Network Sleep Mode (WNM) response frame.
- CVE-2017-13088: Integrity Group Key (IGTK) reinstallation when processing a Wireless Network Sleep Mode (WNM) response frame.
Researchers discovered the vulnerabilities last year and reported them to affected vendors on July 14; US-CERT also issued an alert to hundreds of vendors on August 28, 2017.
“US-CERT has become aware of several key management vulnerabilities in the four-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol. The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and more. Note that protocol-level issues will affect most or all correct implementations of the standard. CERT/CC and a KU Leuven researcher will publicly disclose these vulnerabilities on October 16, 2017,” US-CERT warned.
How to protect affected devices?
Users must wait for firmware updates from their device vendors, security patches for Linux hostapd (Host Access Point Daemon) and WPA Supplicant have already been released.
The use of VPNs and other anonymization techniques can offer an additional level of communication protection.
“That sounds bad. However, much of the risk would be mitigated for services that use strong encryption at the transport or application layer (such as TLS, HTTPS, SSH, PGP), as well as for applications secured by encrypted VPN protocols,” said cryptocurrency expert Arnold KL. Yau told El Reg.
“Despite this, the ability to decrypt Wi-Fi traffic can still reveal unique device identifiers (MAC addresses) and vast amounts of metadata (websites visited, traffic timing, patterns, amount of data exchanged, etc.) that can violate user privacy on the network and provide valuable information to anyone sitting in a black van.”
The research team plans to release a tool that will allow users to verify if their Wi-Fi network is vulnerable to a KRACK attack.
“We’ve created scripts that detect whether an implementation of a four-way handshake, group handshake, or BSS fast transition (FT) handshake is vulnerable to key reinstallation attacks. These scripts will be released as soon as we have time to clean up their usage instructions,” the expert concluded.
“We also created a proof-of-concept script that uses the all-zero key (re)installation present in some Android and Linux devices. This script is the one we used in the demonstration video. It will be released once everyone has had a reasonable opportunity to update their devices (and we’ve had a chance to prepare the code repository for release).
Experts will present their findings at the Computer and Communications Security (CCS) and Black Hat Europe conferences.