Key Reinstallation Attacks

pete_c

Guru
Breaking WPA2 by forcing nonce reuse
Discovered by Mathy Vanhoef of imec-DistriNet, KU Leuven
 
Although this paper is made public now, it was already submitted for review on 19 May 2017. After this, only minor changes were made. As a result, the findings in the paper are already several months old.
 
We discovered serious weaknesses in WPA2, a protocol that secures all modern protected Wi-Fi networks. An attacker within range of a victim can exploit these weaknesses using key reinstallation attacks (KRACKs). Concretely, attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted. This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. The attack works against all modern protected Wi-Fi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites.

The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected. To prevent the attack, users must update affected products as soon as security updates become available. Note that if your device supports Wi-Fi, it is most likely affected. During our initial research, we discovered ourselves that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others, are all affected by some variant of the attacks. For more information about specific products, consult the database of CERT/CC, or contact your vendor.

The research behind the attack will be presented at the Computer and Communications Security (CCS) conference, and at the Black Hat Europe conference. Our detailed research paper can already be downloaded.
 
Q&A
 
Do we now need WPA3?

No, luckily implementations can be patched in a backwards-compatible manner. This means a patched client can still communicate with an unpatched access point, and vice versa. In other words, a patched client or access points sends exactly the same handshake messages as before, and at exactly the same moments in time. However, the security updates will assure a key is only installed once, preventing our attacks. So again, update all your devices once security updates are available.

Should I change my Wi-Fi password?

Changing the password of your Wi-Fi network does not prevent (or mitigate) the attack. So you do not have to update the password of your Wi-Fi network. Instead, you should make sure all your devices are updated, and you should also update the firmware of your router. After updating your router, you can optionally change the Wi-Fi password as an extra precaution.

I'm using WPA2 with only AES. That's also vulnerable?

Yes, that network configuration is also vulnerable. The attack works against both WPA1 and WPA2, against personal and enterprise networks, and against any cipher suite being used (WPA-TKIP, AES-CCMP, and GCMP). So everyone should update their devices to prevent the attack!

You use the word "we" in this website. Who is we?

I use the word "we" because that's what I'm used to writing in papers. In practice, all the work is done by me, with me being Mathy Vanhoef. My awesome supervisor is added under an honorary authorship to the research paper for his excellent general guidance. But all the real work was done on my own. So the author list of academic papers does not represent division of work :)

Is my device vulnerable?

Probably. Any device that uses Wi-Fi is likely vulnerable. Contact your vendor for more information.

What if there are no security updates for my router?

Our main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients. So it might be that your router does not require security updates. We strongly advise you to contact your vendor for more details. In general though, you can try to mitigate attacks against routers and access points by disabling client functionality (which is for example used in repeater modes) and disabling 802.11r (fast roaming). For ordinary home users, your priority should be updating clients such as laptops and smartphones.

How did you discover these vulnerabilities?

When working on the final (i.e. camera-ready) version of another paper, I was double-checking some claims we made regarding OpenBSD's implementation of the 4-way handshake. In a sense I was slacking off, because I was supposed to be just finishing the paper, instead of staring at code. But there I was, inspecting some code I already read a hundred times, to avoid having to work on the next paragraph. It was at that time that a particular call to ic_set_key caught my attention. This function is called when processing message 3 of the 4-way handshake, and it installs the pairwise key to the driver. While staring at that line of code I thought “Ha. I wonder what happens if that function is called twice”. At the time I (correctly) guessed that calling it twice might reset the nonces associated to the key. And since message 3 can be retransmitted by the Access Point, in practice it might indeed be called twice. “Better make a note of that. Other vendors might also call such a function twice. But let's first finish this paper...”. A few weeks later, after finishing the paper and completing some other work, I investigated this new idea in more detail. And the rest is history.

The 4-way handshake was mathematically proven as secure. How is your attack possible?

The brief answer is that the formal proof does not assure a key is installed once. Instead, it only assures the negotiated key remains secret, and that handshake messages cannot be forged.

The longer answer is mentioned in the introduction of our research paper: our attacks do not violate the security properties proven in formal analysis of the 4-way handshake. In particular, these proofs state that the negotiated encryption key remains private, and that the identity of both the client and Access Point (AP) is confirmed. Our attacks do not leak the encryption key. Additionally, although normal data frames can be forged if TKIP or GCMP is used, an attacker cannot forge handshake messages and hence cannot impersonate the client or AP during handshakes. Therefore, the properties that were proven in formal analysis of the 4-way handshake remain true. However, the problem is that the proofs do not model key installation. Put differently, the formal models did not define when a negotiated key should be installed. In practice, this means the same key can be installed multiple times, thereby resetting nonces and replay counters used by the encryption protocol (e.g. by WPA-TKIP or AES-CCMP).

Some attacks in paper seem hard

We have follow-up work making our attacks (against for example macOS and OpenBSD) significantly more general and easier to execute. So although we agree that some of the attack scenarios in the paper are rather impractical, do not let this fool you into believing key reinstallation attacks cannot be abused in practice.

Are people exploiting this in the wild?

We are not in a position to determine if this vulnerability has been (or is being) actively exploited in the wild. That said, key reinstallations can actually occur spontaneously without an adversary being present! This may for example happen if the last message of a handshake is lost due to background noise, causing a retransmission of the previous message. When processing this retransmitted message, keys may be reinstalled, resulting in nonce reuse just like in a real attack.

Should I temporarily use WEP until my devices are patched?

NO! Keep using WPA2.

Will the Wi-Fi standard be updated to address this?

There seems to be an agreement that the Wi-Fi standard should be updated to explicitly prevent our attacks. These updates likely will be backwards-compatible with older implementations of WPA2. Time will tell whether and how the standard will be updated.

Is the Wi-Fi Alliance also addressing these vulnerabilities?

For those unfamiliar with Wi-Fi, the Wi-Fi Alliance is an organization which certifies that Wi-Fi devices conform to certain standards of interoperability. Among other things, this assures that Wi-Fi products from different vendors work well together.

The Wi-Fi Alliance has a plan to help remedy the discovered vulnerabilities in WPA2. Summarized, they will:

    Require testing for this vulnerability within their global certification lab network.

    Provide a vulnerability detection tool for use by any Wi-Fi Alliance member (this tool is based on my own detection tool that determines if a device is vulnerable to some of the discovered key reinstallation attacks).

    Broadly communicate details on this vulnerability, including remedies, to device vendors. Additionally, vendors are encouraged to work with their solution providers to rapidly integrate any necessary patches.

    Communicate the importance for users to ensure they have installed the latest recommended security updates from device manufacturers.

Why did you use match.com as an example in the demonstration video?

Users share a lot of personal information on websites such as match.com. So this example highlights all the sensitive information an attacker can obtain, and hopefully with this example people also better realize the potential (personal) impact. We also hope this example makes people aware of all the information these dating websites may be collecting.

How can these types of bugs be prevented?

We need more rigorous inspections of protocol implementations. This requires help and additional research from the academic community! Together with other researchers, we hope to organize workshop(s) to improve and verify the correctness of security protocol implementations.

Why the domain name krackattacks.com?

First, I'm aware that KRACK attacks is a pleonasm, since KRACK stands for key reinstallation attack and hence already contains the word attack. But the domain name rhymes, so that's why it's used.

Did you get bug bounties for this?

I haven't applied for any bug bounties yet, nor have I received one already.

How does this attack compare to other attacks against WPA2?

This is the first attack against the WPA2 protocol that doesn't rely on password guessing. Indeed, other attacks against WPA2-enabled network are against surrounding technologies such as Wi-Fi Protected Setup (WPS), or are attacks against older standards such as WPA-TKIP. Put differently, none of the existing attacks were against the 4-way handshake or against cipher suites defined in the WPA2 protocol. In contrast, our key reinstallation attack against the 4-way handshake (and against other handshakes) highlights vulnerabilities in the WPA2 protocol itself.

Are other protocols also affected by key reinstallation attacks?

We expect that certain implementations of other protocols may be vulnerable to similar attacks. So it's a good idea to audit security protocol implementations with this attack in mind. However, we consider it unlikely that other protocol standards are affected by similar attacks (or at least so we hope). Nevertheless, it's still a good idea to audit other protocols!

Is there is higher resolution version of the logo?

Yes there is. And a big thank you goes to the person that made the logo!

When did you first notify vendors about the vulnerability?

We sent out notifications to vendors whose products we tested ourselves around 14 July 2017. After communicating with these vendors, we realized how widespread the weaknesses we discovered are (only then did I truly convince myself it was indeed a protocol weaknesses and not a set of implementation bugs). At that point, we decided to let CERT/CC help with the disclosure of the vulnerabilities. In turn, CERT/CC sent out a broad notification to vendors on 28 August 2017.

Why did OpenBSD silently release a patch before the embargo?

OpenBSD was notified of the vulnerability on 15 July 2017, before CERT/CC was involved in the coordination. Quite quickly, Theo de Raadt replied and critiqued the tentative disclosure deadline: “In the open source world, if a person writes a diff and has to sit on it for a month, that is very discouraging”. Note that I wrote and included a suggested diff for OpenBSD already, and that at the time the tentative disclosure deadline was around the end of August. As a compromise, I allowed them to silently patch the vulnerability. In hindsight this was a bad decision, since others might rediscover the vulnerability by inspecting their silent patch. To avoid this problem in the future, OpenBSD will now receive vulnerability notifications closer to the end of an embargo.

So you expect to find other Wi-Fi vulnerabilities?

“I think we're just getting started.”  — Master Chief, Halo 1
 
Well I can think of no action to take that would help so I say bummer. I guess we could plug in whenever possible.
 
Mike.
 
mikefamig said:
Well I can think of no action to take that would help so I say bummer. I guess we could plug in whenever possible.
 
Mike.
I wouldn't lose any sleep over this.  There seems to be a continual dribble of security risks daily and most of them are theoretical, at best.  For someone to even break-into your Wi-Fi they need to be within a few hundred feet of your house.  That pretty much rules out 99.9999% of the population.  And just getting on your network really doesn't get you much since modern computers don't allow anyone on a network access unless you allow it.  I guess they could print something on a printer, since those have no security. I had a neighbor that had no Wi-Fi password, but that doesn't mean I could access their computers.
 
Besides, why would anyone go to the trouble of hacking your Wi-Fi so they can get one or two lousy pieces of your personal information, when they can hack credit bureaus, banks, department stores, etc. and get millions of pieces of information? 
 
here is some more stuff...
 
Here's every patch for KRACK Wi-Fi vulnerability available right now
 
Vendors are reacting swiftly to a vulnerability that lets attackers eavesdrop on your network traffic.

 
By Charlie Osborne and Zack Whittaker for Zero Day |
October 16, 2017 -- 16:55 GMT (09:55 PDT) | Topic: Security
 
Monday morning was not a great time to be an IT admin, with the public release of a bug that effectively broke WPA2 wireless security.

Security experts have said the bug is a total breakdown of the WPA2 security protocol.

As reported previously by ZDNet, the bug, dubbed "KRACK" -- which stands for Key Reinstallation Attack -- is at heart a fundamental flaw in the way Wi-Fi Protected Access II (WPA2) operates.

The security protocol, an upgrade from WEP, is used to protect and secure communications between everything from our routers, mobile devices, and Internet of Things (IoT) devices, but there is an issue in the system's four-way handshake that permits devices with a pre-shared password to join a network.

According to security researcher and academic Mathy Vanhoef, who discovered the flaw, threat actors can leverage the vulnerability to decrypt traffic, hijack connections, perform man-in-the-middle attacks, and eavesdrop on communication sent from a WPA2-enabled device.

US-CERT has known of the bug for some months and informed vendors ahead of the public disclosure to give them time to prepare patches and prevent the vulnerability from being exploited in the wild -- of which there are no current reports of this bug being harnessed by cyberattackers.

The bug is present in WPA2's cryptographic nonce and can be utilized to dupe a connected party into reinstalling a key which is already in use. While the nonce is meant to prevent replay attacks, in this case, attackers are then given the opportunity to replay, decrypt, or forge packets.

In general, Windows and newer versions of iOS are unaffected, but the bug can have a serious impact on Android 6.0 Marshmallow and newer.

The attack could also be devastating for IoT devices, as vendors often fail to implement acceptable security standards or update systems in the supply chain, which has already led to millions of vulnerable and unpatched IoT devices being exposed for use by botnets.

The vulnerability does not mean the world of WPA2 has come crumbling down, but it is up to vendors to mitigate the issues this may cause.

In total, ten CVE numbers have been preserved to describe the vulnerability and its impact, and according to the US Department of Homeland Security (DHS), the main affected vendors are Aruba, Cisco, Espressif Systems, Fortinet, the FreeBSD Project, HostAP, Intel, Juniper Networks, Microchip Technology, Red Hat, Samsung, various units of Toshiba and Ubiquiti Networks.

Who's on top of the game?
 
Apple: The iPhone and iPad maker confirmed to sister-site CNET that fixes for iOS, macOS, watchOS and tvOS are in beta, and will be rolling it out in a software update in a few weeks.

Arris: a spokesperson said the company is "committed to the security of our devices and safeguarding the millions of subscribers who use them," and is "evaluating" its portfolio. The company did not say when it will release any patches.

Aruba: Aruba has been quick off the mark with a security advisory and patches available for download for ArubaOS, Aruba Instant, Clarity Engine and other software impacted by the bug.

AVM: This company may not be taking the issue seriously enough, as due to its "limited attack vector," despite being aware of the issue, will not be issuing security fixes "unless necessary."

Cisco: The company is currently investigating exactly which products are impacted by KRACK, but says that "multiple Cisco wireless products are affected by these vulnerabilities."

"Cisco is aware of the industry-wide vulnerabilities affecting Wi-Fi Protected Access protocol standards," a Cisco spokesperson told ZDNet. "When issues such as this arise, we put the security of our customers first and ensure they have the information they need to best protect their networks. Cisco PSIRT has issued a security advisory to provide relevant detail about the issue, noting which Cisco products may be affected and subsequently may require customer attention.

"Fixes are already available for select Cisco products, and we will continue publishing additional software fixes for affected products as they become available," the spokesperson said.

In other words, some patches are available, but others are pending the investigation.

Espressif Systems: The Chinese vendor has begun patching its chipsets, namely ESP-IDF and ESP8266 versions, with Arduino ESP32 next on the cards for a fix.

Fortinet: At the time of writing there was no official advisory, but based on Fortinet's support forum, it appears that FortiAP 5.6.1 is no longer vulnerable to most of the CVEs linked to the attack, but the latest branch, 5.4.3, may still be impacted. Firmware updates are expected.

FreeBSD Project: There is no official response at the time of writing.

Google: Google told sister-site CNET that the company is "aware of the issue, and we will be patching any affected devices in the coming weeks."

HostAP: The Linux driver provider has issued several patches in response to the disclosure.

Intel: Intel has released a security advisory listing updated Wi-Fi drives and patches for affected chipsets, as well as Intel Active Management Technology, which is used by system manufacturers.

Linux: As noted on Charged, a patch is a patch is already available and Debian builds can patch now, while OpenBSD was fixed back in July.

Netgear: Netgear has released fixes for some router hardware. The full list can be found here.

Microsoft: While Windows machines are generally considered safe, the Redmond giant isn't taking any chances and has released a security fix available through automatic updates.

MikroTik: The vendor has already released patches that fix the vulnerabilities.

OpenBSD: Patches are now available.

Ubiquiti Networks: A new firmware release, version 3.9.3.7537, protects users against the attack.

Wi-Fi Alliance: The group is offering a tool to detect KRACK for members and requires testing for the bug for new members.

Wi-Fi Standard: A fix is available for vendors but not directly for end users.

At the time of writing, neither Toshiba and Samsung responded to our requests for comment. If that changes, we will update the story.
 
More...
 
Note here skipping the part relating to whom or what is to blame...some gibberish relating to the IEEE...
 
Wi-Fi Alliance® security update
 
Austin, TX – October 16, 2017 – Wi-Fi Alliance® provides trusted security to billions of Wi-Fi® devices and continues to support Wi-Fi users, as we have done for more than a decade.
 
Recently published research identified vulnerabilities in some Wi-Fi devices where those devices reinstall network encryption keys under certain conditions, disabling replay protection and significantly reducing the security of encryption. This issue can be resolved through straightforward software updates, and the Wi-Fi industry, including major platform providers, has already started deploying patches to Wi-Fi users. Users can expect all their Wi-Fi devices, whether patched or unpatched, to continue working well together.
 
There is no evidence that the vulnerability has been exploited maliciously, and Wi-Fi Alliance has taken immediate steps to ensure users can continue to count on Wi-Fi to deliver strong security protections. Wi-Fi Alliance now requires testing for this vulnerability within our global certification lab network and has provided a vulnerability detection tool for use by any Wi-Fi Alliance member. Wi-Fi Alliance is also broadly communicating details on this vulnerability and remedies to device vendors and encouraging them to work with their solution providers to rapidly integrate any necessary patches. As always, Wi-Fi users should ensure they have installed the latest recommended updates from device manufacturers.
 
As with any technology, robust security research that pre-emptively identifies potential vulnerabilities is critical to maintaining strong protections. Wi-Fi Alliance thanks Mathy Vanhoef and Frank Piessens of the imec-DistriNet research group of KU Leuven for discovering and responsibly reporting this issue, allowing industry to proactively prepare updates. Wi-Fi Alliance also thanks Mathy Vanhoef for his support during the coordinated response, especially his contributions to the vulnerability detection tool.
 
For more information, please refer to statements from ICASI and CERT.
www.wi-fi.org/securityupdate2017overview
 
ano said:
I wouldn't lose any sleep over this.  There seems to be a continual dribble of security risks daily and most of them are theoretical, at best.  For someone to even break-into your Wi-Fi they need to be within a few hundred feet of your house.  That pretty much rules out 99.9999% of the population.  And just getting on your network really doesn't get you much since modern computers don't allow anyone on a network access unless you allow it.  I guess they could print something on a printer, since those have no security. I had a neighbor that had no Wi-Fi password, but that doesn't mean I could access their computers.
 
Besides, why would anyone go to the trouble of hacking your Wi-Fi so they can get one or two lousy pieces of your personal information, when they can hack credit bureaus, banks, department stores, etc. and get millions of pieces of information? 
 
Right off the top of my head it occurs to me that a thief could potentially look at you with your cameras and they could maybe mess with your router settings and I it's safe to assume there is more at risk than I know of than to just ignore the problem. But don't worry, THIS is not the reason that I don't sleep well.
 
I understand that a person has to be within your wifi signal to hack your network but if a person had something to gain from it then it would be easy enough for them to roll around a neighborhood and get what they are after. Even if it was just mischievous they could cause you some pain if they could get your router password and access your router settings. If hackers do find something to gain from this then I would say that it's a lot easier to sit in front of your house in a car than it is to break in and steal your tv. I'm not worried about 99.9999% of the population, I'm worried about the small minority that goes out of their way to hack security systems.
 
Mike.
 
Relating to Ubuntu (laptops here) patches came out yesterday:
 
USN-3455-1: wpa_supplicant and hostapd vulnerabilities
 
A more detailed chart is found here ==> Vendor Response Matrix for KRACK WPA2 (Key Reinstallation Attack)
 
 
日本人の皆さまへ: こちらをご覧ください(日本語)
 
The Good
  • Should a vendor take responsibility, devices are for the most part updatable.
The Bad
  • Many devices do not have an easy way to apply updates.
  • A huge burden is placed on the consumer to keep their devices up to date
    It may not be easy to search for all updates to all devices.

[*]The attack works for both clients and access points
  • Updating an access point does not keep clients protected!

The Ugly
  • Attacks against Android 6.0+ devices are very easy to accomplish.
    It is advised to disable Wi-Fi and only use 4G for the time being.

[*]Updates may never come for many IoT devices.
Attacks that can be made
  • Adversary can decrypt arbitrary packets.
    This allows an adversary to obtain the TCP sequence numbers of a connection, and hijack TCP connections.

[*]Adversary can replay broadcast and multicast frames.
[*]Adversary can both decrypt and inject arbitrary packets. (TKIP or GCMP ONLY)
[*]Adversary can force the client into using a predictable all-zero encryption key. (ANDROID 6.0+ and LINUX)
Attacks that cannot be made
  • Adversary can not recover WPA password.
  • Adversary can not inject packets. (AES-CCMP ONLY)
Related Reading
Vendor Patch Matrix (non-complete)
 
The vulnerability exists on clients and WAP's and is related to WPA2 in general.
 
These days with much of the wireless stuff embedded in firmware it becomes a bit more difficult to update.
 
mikefamig said:
Right off the top of my head it occurs to me that a thief could potentially look at you with your cameras and they could maybe mess with your router settings and I it's safe to assume there is more at risk than I know of than to just ignore the problem. But don't worry, THIS is not the reason that I don't sleep well.
 
I understand that a person has to be within your wifi signal to hack your network but if a person had something to gain from it then it would be easy enough for them to roll around a neighborhood and get what they are after. Even if it was just mischievous they could cause you some pain if they could get your router password and access your router settings. If hackers do find something to gain from this then I would say that it's a lot easier to sit in front of your house in a car than it is to break in and steal your tv. I'm not worried about 99.9999% of the population, I'm worried about the small minority that goes out of their way to hack security systems.
 
Mike.
Really, if someone didn't like you and was within a few hundred feet of your house, I bet the first thought in their mind wouldn't be "let me use a newly discovered Wi-Fi security vulnerability and break into their router."  If you want something to keep you up at night, maybe it should be that hackers have likely stolen all your Equifax data, and they can cause mischief with it anywhere in the world.
 
There was a woman on the news here who claims hackers have already tried to make use of that data on her multiple times. 
 
If you look at ALL the weakness out there, most of the worst ones are completely outside of your control.  You mentioned camera break-in, but why break-in to your Wi-Fi network to do that. Its far easier to just break-in to the cloud account where the camera stores all the pictures. And that can be done from China or Russia.
 
I think that you missed my point. I'm not talking about someone targeting me. I'm saying that if there is a vulnerability in a widely used technology such as wpa2 wifi encryption that some clever hacker may think of a way to capitalize on it for fun and profits. I'm saying that someone may think of a way to profit from it that you and I haven't thought of.
 
As an example I have often wondered why thieves haven't taken advantage of the fact that there are barbecue grills on patios all over America that cost $1000 - $2000 and are free for the taking and easy to pawn. Suburbia is full of families that leave the house empty all day long with outdoor kitchens just sitting out there. I look at an open wifi router in my house similar to that sort of thing kinda like leaving your doors open.
 
Mike.
 
Thieves are typically branded as lazy. To make use of a BBQ they may have to clean it out first.
I haven't cleaned mine in eight years because it is such a boring job.
 
Personally I would not lose any sleep over this kind of stuff.    It's a willy nilly world out there in internetlandia.
 
I posted the OP for informational purposes and hopefully to be proactive relating to upgrading your stuff.
 
Back
Top