On Monday Mathy Vanhoef and Frank Piessens released research demonstrating multiple vulnerabilities in the WPA / WPA2 standard. This has received significant media coverage, especially since any vendor who implemented the 802.11 standard correctly is likely vulnerable.
I want to share my notes, as I found seriously misleading information in much of the reporting, even on tech outlets. It is worth reading the full paper, which explains the research in great detail and checking out the vulnerability website. Amazing work by Vanhoef and Piessens.
The vulnerabilities cover three primary attacks, all involving the new technique of key reinstallation. These attacks manipulate various handshakes between wireless clients and access points to alter cryptographic values which are insecure if used more than once. (Hint NONCE = Number Used Once. If you use it twice, bad things happen.)
Both clients and wireless access points must be patched to fully resolve these issues.
Key Points and Practical Impacts
Attack against the 4-way handshake.
- This manipulates cryptographic parameters on the client - the device connecting to the wireless network.
- If the wireless network is using WPA2-AES-CCMP impacts include the ability to replay packets from AP to client, and decrypt packets from client to AP . This could reveal sensitive data including session IDs, cookies, and credentials for plain HTTP connections. Exposure of TCP SYN/ACK packets could allow TCP session hijacking. HTTPS is relatively safe.*
- If the wireless network is using deprecated WPA-TKIP, impacts are severe and include the above with the additional ability to forge packets from the client, allowing malicious code injection and malicious data manipulation. In this instance the AP can be used as a gateway to inject packets towards any device on the network.
- If the wireless network is using GCMP, impact also allows bi-directional packet forging.
- Specific client patch / exposure information:
- Windows 7/8/10 - These were never vulnerable to this attack due to Microsoft not strictly following the 802.11 standard. (Media outlets are reporting Microsoft patched this but it is inaccurate. They patched the group key issue (see below) in their October releases).
- MacOS - Vulnerable. Patch in beta, not yet available.
- iOS - Latest versions not vulnerable. Unclear when Apple patched this.
- Android < 6.0 - Vulnerable, will not be patched.
- Android 6.0+ - Vulnerable with additional severity. See below. Patching announced for November.
- Linux - Desktop distributions mostly vulnerable with additional severity, see below. Patches to wpa_supplicant available as of 10/16/17 for all major distributions.
Attacks against 802.11r Fast BSS Transition (FT) handshake
- This manipulates cryptographic parameters on the access point, irrespective of the client patch status. Some media outlets have reported things like “latest Windows not vulnerable to KRACK”. This is misleading, as while the client may not be vulnerable directly, it could still be severely impacted via attacks to a vulnerable access point.
- If the wireless network is using WPA2-AES-CCMP impacts include the ability to replay packets from client to AP, and decrypt packets from AP to client (note the direction is reversed from the attack on the 4-way handshake). As above, this could reveal sensitive data including session IDs, cookies, and credentials for plain HTTP connections. Exposure of TCP SYN/ACK packets could allow TCP session hijacking. HTTPS is relatively safe.*
- If the wireless network is using deprecated WPA-TKIP, impacts are severe and include the above with the additional ability to forge packets from the AP, allowing malicious code injection and malicious data manipulation.
- As above, if the wireless network uses GCMP this also allow bi-directional packet forging.
- Can be fully mitigated by disabling 802.11r “fast roaming”. Although, doing this has negative impact for clients moving between access points.
- Most vendors are vulnerable. CERT notice with vendor links here. Cisco advisory here.
Attacks against the group key handshake
- This manipulates cryptographic parameters on the client, as the attack against the 4-way handshake.
- In all WPA implementations (TKIP, AES, GCMP) this allows replay of packets from AP to client.
- Impact here is less severe, but the authors note this can impact NTP (which is relied on by Kerberos, etc.), and some home automation protocols. Other impacts are likely.
All-Zero Encryption Key Vulnerability
- Due to a bug in wpa_supplicant, the software implementation of 802.11i for Linux, Android 6.0 and up, and almost all modern Linux distributions actually install a null encryption key when the 4-way handshake is attacked. This is catastrophic and negates WPA encryption completely.
- For newish IoT devices this will have an especially long-lived impact, as many will never see patches, nor will many Android phones still in use. Patches for supported Android devices have been announced for November. All major Linux distributions have patches available now.
- There are currently no known (to my knowledge) attack tools in the wild, or test scripts for that matter. Both will be coming soon, but at least there is a window to patch.
- Where threat modeling is concerned, these attacks do require physical proximity to targets and reasonable sophistication by the attacker. Yes these are bad vulnerabilities that must be addressed, but media coverage has been largely overblown in my opinion. This is not the end of the world (or even of WPA2).
- A vulnerability in a commercial RSA library was also disclosed this week, which has been overshadowed by the WPA issues. For high security facilities this is very serious. It also applies to Yubikeys used for RSA / PIV / PGP.
- *HTTPS certainly mitigates the impacts above to a large extent for those connections. However, as the researchers note, there are multiple known issues with various implementations of HTTPS as well.