KRACK Attack: Breaking WPA2

The Krack Attack affects most wireless networks and clients across the world. Wireless networks play a crucial role in the digital world and most internet users use WiFi networks on a daily basis. Having encryption on wireless networks has become the benchmark and over the years we’ve had many encryption algorithms for WiFi communication – First WEP, followed by WPA and now WPA2.

That being said – In line with Murphy’s law and assisted by growing computational capabilities thanks to Moore’s Law – Each one of them has eventually succumbed to a vulnerability that renders it irrelevant.

WPA2 has been so far considered as the most trusted and secure protocol for wireless communication till date.

A security researcher from the Belgian University KU Leuven named Mathy Vanhoef released details about an attack called KRACK – Key Re-installation Attack for WPA2 protocol on his website.

Vanhoef writes about this attack on his website:

The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected. To prevent the attack, users must update affected products as soon as security updates become available.

Our main attack is against the 4-way handshake of the WPA2 protocol. This handshake is executed when a client wants to join a protected Wi-Fi network, and is used to confirm that both the client and access point possess the correct credentials (e.g. the pre-shared password of the network). At the same time, the 4-way handshake also negotiates a fresh encryption key that will be used to encrypt all subsequent traffic. Currently, all modern protected Wi-Fi networks use the 4-way handshake. This implies all these networks are affected by (some variant of) our attack. For instance, the attack works against personal and enterprise Wi-Fi networks, against the older WPA and the latest WPA2 standard, and even against networks that only use AES. All our attacks against WPA2 use a novel technique called a key reinstallation attack (KRACK). 

Here’s How the KRACK WPA2 Attack Works:

What is the impact ?

According to the researcher the impact of this vulnerability depends on the handshake being attacked, and the data-confidentiality protocol in use since against AES-CCMP an attacker can only replay and decrypt packets but can’t forge it.

“The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others,” the US-CERT warned. “Note that as protocol-level issues, most or all correct implementations of the standard will be affected.”

To simply a bit, the communication over HTTPS is secure (but may not be 100 percent secure) and cannot be decrypted using the KRACK attack. That being said, you are advised to use a secure VPN service – which encrypts all your Internet traffic whether it’s HTTPS or HTTP.

How to protect your networks from Krack Attack?

As of now the only efficient mechanism is to apply patches / updates for clients and deploy the latest firmware being released. Changing the password of your Wi-Fi network does not prevent (or mitigate) the attack.

Below are some firmware and driver updates available for KRACK WPA2 vulnerability for the major vendors :

The complete list is available at Bleeping computer where they are tracking the progress of each specific vendor’s patch release.

Krack Attack - WPA2 Patch Story
Image Source : CommitStrip

Is there anyway to mitigate this attack?

Until a patch and firmware update are released by your vendor, you can try to mitigate attacks against routers and access points by disabling client functionality (which is for example used in repeater modes) and disabling 802.11r (fast roaming). For ordinary home users, your priority should be updating clients such as laptops and smartphones.

Assigned CVE Identifiers

The following Common Vulnerabilities and Exposures (CVE) identifiers were assigned to track which products are affected by specific instantiations of our key re-installation attack:

  • CVE-2017-13077: Re-installation of the pairwise encryption key (PTK-TK) in the 4-way handshake.
  • CVE-2017-13078: Reinstallation of the group key (GTK) in the 4-way handshake.
  • CVE-2017-13079: Reinstallation of the integrity group key (IGTK) in the 4-way handshake.
  • CVE-2017-13080: Reinstallation of the group key (GTK) in the group key handshake.
  • CVE-2017-13081: Reinstallation of the integrity group key (IGTK) in the group key handshake.
  • CVE-2017-13082: Accepting a re-transmitted Fast BSS Transition (FT) Re-association Request and reinstalling the pairwise encryption key (PTK-TK) while processing it.
  • CVE-2017-13084: Re-installation of the STK key in the PeerKey handshake.
  • CVE-2017-13086: re-installation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake.
  • CVE-2017-13087: Re-installation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
  • CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.

Note that each CVE identifier represents a specific instantiation of a key re-installation attack. This means each CVE ID describes a specific protocol vulnerability, and therefore many vendors are affected by each individual CVE ID. You can also read vulnerability note VU#228519 of CERT/CC for additional details on which products are known to be affected.

How does it work?

The attack occurs due to a vulnerability in the 4-way handshake or against cipher suites defined in the WPA2 protocol and hence all products using the correct implementation of the protocol are vulnerable. The attacks targets the 4-way handshake, and does not exploit access points, but instead targets the clients.

The idea behind this attack is to abuse the keys being used in phase 3 of 4 way handshake where key is generated after 2 way handshake between AP and client.

This authenticated key can be captured with MITM and can be replayed to exploit the vulnerability since the keys are already used and fully authenticated and verified for handshake between AP and client.

Earlier the reuse of generated and used keys was not possible for further implementation since the router used to get restarted for multiple use of same key. Even if the same problem occurs in current scenario, the attackers are able misuse this since keys are stored in non-volatile memory on boot during restart