A devastating WiFi exploit, based on key reinstallation attacks (KRACKs) was published by Mathy Vanhoef of imec-DistriNet, KU Leuven in Belgium. It broadly relies on tricking a victim into reinstalling an already-in-use key by manipulating and replaying cryptographic handshake messages. Because the key has already been used, this allows the attacker to create a man-in-the-middle scenario, and decrypt the traffic. The exploit is particularly dangerous as it involves the underlying protocol of Wi-Fi, and is relatively easy to replicate in the wild against a wide range of target devices.
Dr Kevin Curran, senior member of the IEEE and Professor of Cyber-security, Ulster University said: “This is a big one, it'll be around for a while, and will doubtless be refined and ‘improved' by attackers. It affects such a wide sweep of platforms and devices that the impact will be very widespread. It'll really impact on areas like IoT, where vendors and manufacturers just won't get round to patching some devices, leaving them vulnerable for the future.”
The most widespread version of the attack is a key reinstallation attack against the four-way handshake performed in pretty much every implementation of Wi-Fi, where a connecting device and access point check their credentials against each other and negotiate a fresh encryption key. The vulnerable element is the moment that the client receives message three of the four-way handshake and sets about installing the key.
“Because messages may be lost or dropped, the Access Point (AP) will retransmit message three if it did not receive an appropriate response as acknowledgment. As a result, the client may receive message three multiple times. Each time it receives this message, it will reinstall the same encryption key, and thereby reset the incremental transmit packet number (nonce) and receive replay counter used by the encryption protocol. We show that an attacker can force these nonce resets by collecting and replaying retransmissions of message three of the four-way handshake”, explained Vanhoef.
The result of forcing nonce reuse is that packets can be replayed, decrypted, and/or forged. The same technique can also be used to attack the group key, PeerKey, TDLS, and fast BSS transition handshake, according to Vanhoef in a paper describing the attacks.
Lee Munson, security researcher, Comparitech.com said that businesses needed to take precautions against the vulnerability: “Ensuring that all remote employees who connect to the network use a VPN is an obvious starting point and one that really should be in place already. This should be encouraged through an appropriate network security policy and an awareness campaign.
“From a technical standpoint, the IT department would be wise to ensure that the virtual private network has been adequately risk-assessed and tested and that it is correctly sited in front, or behind, of the corporate firewall. The latest approved patches should also be installed.”
Curran concurred: “Unfortunately, there is no alternative to using WPA2 at present, but users should consider using VPNs and other security technologies to provide protection to connections. A positive aspect is that HTTPS is becoming more pervasive on the web and some services as TLS, SSH, PGP use strong encryption.”
Microsoft has announced that it has already quietly patched the issue on 10th October, stating that: “Customers who have Windows Update enabled and applied the security updates are protected automatically. We updated to protect customers as soon as possible, but as a responsible industry partner, we withheld disclosure until other vendors could develop and release updates.”
Here's a video explaining the exploit:
Vanhoef is due to present the vulnerabilities formally on November 1 in a talk titled “Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2” at a security conference in Dallas.