Key Reinstallation Attack (KRACK) - an attack of repeated playback on any Wi-Fi network with WPA2 encryption.
It was first discovered by Belgian researchers Matty Vanhoef (Mathy Vanhoef) and Frank Pissensens (Frank Piessens) in 2016. [1] The results of the study were published in October 2017. With this attack, an attacker can “listen” to data, and in some cases, even “fake” data transmitted between the client and the access point.
All secure Wi-Fi networks use the 4-step “ ” scheme to generate a cryptographic key. The attacker forces the victim to reinstall the already used cryptographic key in the third stage of the 4-stage “handshake”.
By using the AES-CCMP stream cipher in WPA2, reinstalling the key greatly weakens encryption. Thus, an attacker can conduct a crypto attack, find out the key, and “wiretap” the data exchanged between the client and the access point. On Linux systems and Android 6.0 , the attack will reset the zero key, which greatly facilitates hacking the device.
Content
- 1 Attack Overview
- 2 Value
- 3 Device susceptibility to attack
- 4 Counteraction
- 5 Patches
- 6 notes
- 7 References
Attack Overview
When a new client connects to a Wi-Fi network, a common encryption key is agreed for 4 stages (4-stage “handshake”). The negotiated key is then used to encrypt all “normal” data packets. However, since individual messages may be lost, the Access Point (AP) may resend the messages of the third stage until it receives confirmation of its receipt. As a result, the client may receive this message several times. Each time, having received such a message, the client installs the existing encryption key and resets the counters (English replay counters). The researchers were able to prove in practice that an attacker is able to force the victim to reset the counters by resending the message of the 3rd stage during the 4-stage “handshake”.
Thanks to the repeated use of the encryption key, it becomes possible to attack the cryptographic protocol: reproduction of packets, decryption, and even falsification of their contents [2] . This method is suitable for attacking the Group Key, Fast Basic Service Set (BSS) Transition, PeerKey, Tunneled Direct-Link Setup (TDLS) PeerKey (TPK), or Wireless Network Management (WNM) Sleep Mode protocols [3] .
Under certain conditions, an attacker can not only “listen” to Wi-Fi traffic, but also carry out a series of “man in the middle” attacks: intercept TCP sessions, insert information into HTTP sessions, play address or broadcast packets, and carry out other spoofing attacks [ 3] .
Value
Attackers have the ability to listen to network traffic and steal passwords, HTTP cookies , and the like from it. Attackers also gain the ability to decrypt TCP SYN packets, which makes it possible to set a packet counter and steal a TCP session. Thus, despite the use of WPA2, the attacker has the ability to carry out a man-in-the-middle attack, and can also insert malicious modules into HTTP data. For example, an attacker could embed malicious software in the HTTP data that a victim receives from websites she viewed. [four]
The consequences of the KRACK attack are especially dangerous if the Wi-Fi network uses WPA-TKIP or GCMP encryption instead of AES-CCMP. It should be noted that GCMP is the basis of the WiGig standard (IEEE 802.11ad), which should be widely adopted in the coming years. [four]
The table shows the actions of the attacker as a result of the KRACK attack against the client and the access point (AP), depending on the data encryption protocol used. (The arrows indicate the directions of forwarding information packets)
| Protocol | Replay | Decryption | Counterfeiting |
|---|---|---|---|
| TKIP | AP-> client | client-> AP | client-> AP |
| CCMP | AP-> client | client-> AP | - |
| Gcmp | AP-> client | client-> AP | client <-> AP |
Device susceptibility to attack
The attack is especially destructive for versions 2.4 and 2.5 of wpa_supplicant, the Wi-Fi client used by Linux. This client will set the null key instead of reinstalling the real key. This vulnerability is due to an error in the 802.11 standard, which implicitly instructs to clear the memory from the encryption key immediately after its installation. Since Android uses the modified wpa_supplicant, Android 6.0 and Android Wear 2.0 also contain this vulnerability. As a result, 31.2% of Android devices are susceptible to this attack. [5]
The table shows the effect of the KRACK attack on different types of Wi-Fi clients. The second column displays information on whether the client’s implementation allows the third-stage message to be resent in a 4-stage “handshake”.
| Implementation | Re.Msg3 | 4-way |
|---|---|---|
| OS X 10.9.5 | Yes | vulnerable |
| macOS Sierra 10.12 | Yes | vulnerable |
| iOS 10.3.1 | no | not vulnerable |
| wpa_supplicant v2.3 | Yes | vulnerable |
| wpa_supplicant v2.4-5 | Yes | vulnerable |
| wpa_supplicant v2.6 | Yes | vulnerable |
| Android 6.0.1 | Yes | vulnerable |
| OpenBSD 6.1 (rum) | Yes | not vulnerable |
| OpenBSD 6.1 (iwn) | Yes | vulnerable |
| Windows 7 | no | not vulnerable |
| Windows 10 | no | not vulnerable |
| MediaTek | Yes | vulnerable |
Counteraction
Users are strongly advised to use a VPN and only visit sites using the HTTPS protocol . However, it should be noted that VPN gateways also have full access to the network traffic of clients, and HTTPS servers in some configurations may be vulnerable to various types of attacks (for example, the so-called English Downgrade Attacks , as a result of which users are forced to switch to an insecure connection via HTTP protocol). [6]
Patches
The table below shows patches for different devices that eliminate the possibility of a KRACK attack. For example, in the wpa_supplicant 2.6 Wi-Fi client, the encryption key is set only once: after the first reception of the third stage message from the access point. [2]
| System | version | Patched |
|---|---|---|
| Android | all | Android 2017-11-06 security patch level [7] |
| Chrome OS | all | Stable channel 62.0.3202.74 [8] |
| iOS | iOS 11 | iOS 11.1 [9] for iPhone> = 7, iOS 11.2 [10] for all iOS devices running iOS 11. iOS versions earlier than 11 were not vulnerable. |
| macOS High Sierra | 10.13 | macOS 10.13.1 [11] |
| macOS Sierra | 10.12 | Security Update 2017—001 Sierra [11] |
| Windows | 7 | KB4041681 or KB4041678 [12] |
| Windows | 8.1 | KB4041693 or KB4041687 [12] |
| Windows | 10 | KB4042895 [12] |
| Windows server | 2016 | KB4041691 [12] |
Notes
- ↑ New KRACK Attack Breaks WPA2 WiFi Protocol . Bleeping Computer (October 16, 2017). Date of appeal October 16, 2017.
- ↑ 1 2 Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2
- ↑ 1 2 VU # 228519: Wi-Fi Protected Access II (WPA2) handshake traffic can be manipulated to induce nonce and session key reuse . CERT-CC (Oct 16, 2017).
- ↑ 1 2 Key Reinstallation Attacks breaking WPA2 by forcing nonce reuse , www.krackattacks.com.
- ↑ How the KRACK attack destroys nearly all Wi-Fi security , Ars Technica (October 16, 2017).
- ↑ DAN GOODIN. Serious flaw in WPA2 protocol lets attackers intercept passwords and much more . Ars Technica (Oct 16, 2017).
- ↑ Android Security Bulletin - November 2017 . android.com . Date of treatment November 7, 2017.
- ↑ Stable Channel Update for Chrome OS . chromereleases.googleblog.com Date of treatment November 7, 2017.
- ↑ About the security content of iOS 11.1 - Apple Support . support.apple.com . Date of treatment November 1, 2017.
- ↑ About the security content of iOS 11.2 - Apple Support . support.apple.com . Date of treatment December 7, 2017.
- ↑ 1 2 About the security content of macOS High Sierra 10.13.1, Security Update 2017-001 Sierra, and Security Update 2017-004 El Capitan - Apple Support . support.apple.com . Date of treatment November 1, 2017.
- ↑ 1 2 3 4 CVE-2017-13080 Windows Wireless WPA Group Key Reinstallation Vulnerability unspecified . microsoft.com Date of treatment November 1, 2017.