An article by two Belgian researchers has shed more light on the vulnerabilities discovered in the Wi-Fi protected II (WPA2) implementations in more than access, if not all, wireless network devices that use the protocol. Nicknamed "KRACK" (Key reinstallation attack), the attack "abuse design or implementation flaws in cryptographic protocols to reinstall a key already in use", wrote Mathy Vanhoef and Frank Piessens of the Catholic University of Leuven (KU Leuven) in The document, published today.
The report came after widespread dissemination of problems, as Ars reported on Sunday night. The research is based on previous scans of the deficiencies of the WPA2 component protocols, and some of the attacks mentioned in the document were previously recognized as theoretically possible. However, the authors have turned these vulnerabilities into the proof-of-concept code ", and it was found that all Wi-Fi devices are vulnerable to some variant of our attacks it should be noted that our attack is exceptionally devastating against Android 6.0:. The client is forced to use an encryption key of all predictable zeros. "
While Windows and IOS devices are immune to a single taste of the attack, they are susceptible to others. And all major operating systems are vulnerable to at least one form of KRACK attack. And in an addition published today, the investigators noted that things are worse than they seemed at the time the document was written:
Although this document is made public now, it has already been reviewed on 19 May 2017. After that, only minor changes were made. As a result, the findings on paper are already several months old. Meanwhile, we have found the easiest techniques to carry out the attack against the key 4-way reinstallation. With our new attack technique, it is now trivial to exploit the implementations that only accept the 4-way encrypted message retransmissions. In particular this means that attacking MacOS and OpenBSD is significantly easier than discussed on paper.
Wi-Fi networks typically use shared keys (usually based on AES encryption) to protect network traffic. This key is shared through a collection of cryptographic "handshakes" that verifies the identity of the clients of the network. The attack style documented by Vanhoef and Piessens addressed to cryptographic handshakes: the four-way greeting uses to initially pass a shared key for the client or the handshakes PeerKey used in the network connections peer-to-peer; The handshakes group updates the key used by the network to change the key when a client leaves the network; and the basic Services Suite (BSS) The rapid Transition (FT) handshakes used to allow customers to spin over a network with multiple access points.
While Windows and Apple IOS devices are not vulnerable to the four-way handshakes attack, they are vulnerable to the group key handshakes attack and the rapid BSS attack. Android Wear 6.0, Chrome and Android 2.0 devices are particularly vulnerable to the four-way handshakes attacks an attack really causes the protocol to reinstall one, all predictable key zeros, so it is trivial to decipher the traffic of the Network. The same can be said of other Linux implementations that use Wpa_supplicant version 2.4 and 2.5, the Wi-Fi client is commonly used in Linux (the latest version of Wpa_supplicant is 2.6).
"This vulnerability seems to be caused by a comment on the 802.11 standard suggesting to delete parts of the session key from memory once it has been installed," Vanhoef and Piessens explained. "As a result, currently 31.2 percent of Android devices are vulnerable to this exceptionally devastating variant of our attack."
In an addition to the document published by today's authors, VANHOEF and Piessens expanded their results, expanding the problem to all current Linux distributions:
Linux v 2.6 wpa_supplicant is also vulnerable to installing an all-zero encryption key in the 4-way. This was discovered by John A. Van Boxtel. As a result, all versions of Android above 6.0 are also affected by the attack, and therefore can be deceived in installing an encryption key from all zeros. The new attack works by injecting a forged message 1, with the same ANonce as used in the original message 1, before forwarding the transmitted message 3 to the victim. In each case, the attacker can force a target device to re-install a key already in shared use, degrading the key.
Depending on the type of handshakes used between the nodes of the Wi-Fi network, the attack can vary the levels of damage:
- For connections using AES and the counter with CBC-MAC Protocol ((AES)-CCMP), an attacker can decrypt network packets, so it is possible to read their contents and to inject malicious content into TCP packet streams. But the key cannot be broken or forged, so the attacker cannot forge a key and join the network, instead, they have to use a "cloned" access point that uses the same MAC address as the specific network access point , on a different Wi-Fi connection channel.
- For WPA2 systems using the Temporal Key Integrity Protocol (TKIP), the message key integrity code can be retrieved by the attacker. This allows them to play packets captured on the network; They can also forge and transmit new packages to the customer oriented by posing as the access point.
- For devices using the Galois/Counter Mode Protocol (JCGP), the attack is the worst: "It is possible to play and decrypt the packages," Vanhoef and Piessens wrote. "In addition, it is possible to recover the authentication key, which to its JCGP is used to protect the two communication senses… So, unlike TKIP, an adversary can forge packets in both directions. " That means the attacker can essentially join the network and pretend to be a customer or the access point, depending on the type of access they want. "Since it is expected that JCGP will be adopted at a high rate in the coming years under the name of WiGig, this is a troubling situation," the investigators said.