KRACK Spells Big Trouble for Wireless Security
A long-standing pillar of modern computer security sustained major damage on Monday when researchers revealed a serious weakness in WPA2, the gold-standard protocol for protecting wireless networks.
The Belgian researcher who discovered the weakness, Mathy Vanhoef of KU Leuven, dubbed the new category of attacks "KRACK" for "key reinstallation attacks."
KRACK exploits a flaw in the way a client joins a WPA2-protected network, a procedure known as the four-way handshake. Critically, Vanhoef noted that the flaw exists in properly configured wireless networks. "The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected," Vanhoef wrote on a Web site created to explain the vulnerability, www.krackattacks.com.
By manipulating and replaying cryptographic handshake messages, KRACK tricks the victim system into re-installing keys that are already in use, Vanhoef wrote. While the attack does not reveal the wireless network password, it does allow some to all of the network traffic to be visible to an attacker, depending on the encryption protocol in use.
Like any wireless attack, KRACK requires the attacker to be within wireless signal range of the target, and only circumvents the encryption provided by WPA2, not the encryption of the underlying data using Transport Layer Security or other types of protection. (In a proof-of-concept video on his Web site, however, Vanhoef used the SSLStrip tool in combination with KRACK methods to simulate a man-in-the-middle attack to view an Android phone user's encrypted Internet traffic.)
"Attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted. This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on," Vanhoef said. "Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites."
Vanhoef began notifying affected vendors in mid-July and had originally planned to go public with details in August, but began working with industry organizations as the scope and scale of the problem became evident.
The coordinated public release of the details of the attack Monday morning caused a flurry of activity in the security community. A CERT Vulnerability Note #228519 titled, "[WPA2] handshake traffic can be manipulated to induce nonce and session key reuse," went out Monday with a list of 15 affected vendors, including Cisco, Intel, Juniper Networks, Red Hat, Toshiba and others. Vanhoef's own tests found Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys and others vulnerable, although the problems are particularly acute for Android and Linux.
Because of the early notice, Microsoft has already issued fixes for the flaw, a Microsoft spokesperson said in an e-mail: "Microsoft released security updates on October 10th and customers who have Windows Update enabled and applied the security updates, are protected automatically. We updated to protect customers as soon as possible, but as a responsible industry partner, we withheld disclosure until other vendors could develop and release updates."
In a post on his personal blog, Alex Hudson, CTO at the Iron Group, ranked his impressions of risk by platform. "Attacks against Android Phones are very easy!" he wrote. "Best to turn off wifi on these devices until fixes are applied. Windows and Mac OS users are much safer. Updates for other OSes will come quite quickly, the big problem is embedded devices for whom updates are slow / never coming."
Hudson also pointed out that the main attack was against clients, not access points. "Updating your router may or may not be necessary: updating your client devices absolutely is! Keep your laptops patched, and particularly get your Android phone updated."
Meanwhile, vendors that are focused on other layers of security were quick to pounce on the incident as further evidence of the need for multifaceted security approaches.
"There's no stopping users from connecting to public Wi-Fi hotspots, so it's up to the enterprise to layer on protection mechanisms. This vulnerability speaks to the importance of ensuring that all connections from endpoints leverage strong encryption, such as the latest versions of Transport Layer Security (TLS). Intermediary proxies can ensure that regardless of what the application supports, all connections from end-user devices leverage strong encryption," said Rich Campagna, CEO of Bitglass, in a statement.
While WPA2 has not been impervious to attack, the flaw represents a significant chink in the armor of one of the more robust quarters of computer security. Previous attacks on WPA2 mostly involved hitting surrounding technologies, such as vulnerabilities in Wi-Fi Protected Setup (WPS), or required either password-guessing or an attack from a table of hashed passwords that could only succeed if the correct password was already included.
It will be possible to issue patches in a backward-compatible manner, meaning that KRACK doesn't create a need for a WPA3, Vanhoef noted. Nonetheless, the combination of unpatched and unpatchable systems mean attacks based on this new method are likely to be a factor in wireless network attacking and defending for a long time to come.
Posted by Scott Bekker on October 16, 2017