Belgian researcher from the university KU Leuven, Mathy Vanhoef, released a paper October 16th, 2017, fully detailing a newly discovered vulnerability in the most widely used WiFi encryption protocol – the WPA2 protocol. The hack is already nicknamed “KRACK”, which is an acronym derived from the name Mathy Vanhoef gave the attack that exploits the WPA2 vulnerabilities – the Key Reinstallation Attack. This is a huge development, and problem for almost every WiFi user in the world – probably the biggest since the WPA hack made public in 2009.
The Basics Behind the KRACK Exploit
Basically, the KRACK hack can be used to view Wi-Fi information that has, until now, been presumed safe and securely encrypted. The KRACK technique can be used against most modern Wi-Fi networks that use WPA2 protocol encryption. KRACK could potentially be used to uncover and steal data from anything a user does over Wi-Fi, including: Photos, Chat, Emails, Passwords, and even Credit Card Numbers. Also, depending on the configuration of the Wi-Fi network being exploited, KRACK may even allow data manipulation, via browser injections, which could effectively put hidden malware/ransomware on non-malicious websites that victims are visiting.
The KRACK WPA2 Hack in Detail
The KRACK vulnerabilities are not present because of specific routers or operating systems but because of the Wi-Fi standard WPA2 encryption protocol itself. Therefore, any instance where WPA2 is implemented for Wi-Fi encryption then there is an exploit vulnerability – Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and every other major operating system that uses WPA2 for Wi-Fi are all susceptible to one form or another of the Key Reinstallation Attack. However, Android and Linux are the most easily KRACKED. Mathy Vanhoef’s full paper, titled Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2, can currently be read at his website – it will also be presented at the Computer and Communications Security (CCS) conference on Wednesday 1 November 2017. There has also been a website setup to help inform the general public: www.krackattacks.com
How the KRACK Exploit Works
The KRACK technique is an attack directed at the “4-way handshake” of the WPA2 protocol’s encryption process. The first of the four handshakes is executed when a client tries to join a WPA2 Wi-Fi network and it checks both the client and the access-point or router for the network’s key. If the first of the four handshakes is successful then the second and third step of the 4-way handshake can be exploited by the KRACK technique which basically tricks the WPA2 encryption process into a loop that stays connected and can be attacked via man-in-the-middle (MITM) packet snooping and duplication. Furthermore, while attacking the WPA2 4-way handshake and the Fast BSS Transition (FT) Handshake, KRACK is able to exploit and decrypt/forge packets sent from the client as well packets sent to the client. The KRACK technique works against both Personal and Enterprise versions of WPA2, the older WPA protection protocol, and even AES-only Wi-Fi Networks. If the user being exploited uses either WPA-TKIP or GCMP encryption protocols rather than AES-CCMP, the KRACK technique is especially effective. When KRACK is used against WPA-TKIP or GCMP, the attacker can not only intercept and decrypt packets, but also forge and inject packets as well.
Here’s how Mathy Vanhoef explains the KRACK technique:
“When a client joins a network, it executes the 4-way handshake to negotiate a fresh encryption key. It will install this key after receiving message 3 of the 4-way handshake. Once the key is installed, it will be used to encrypt normal data frames using an encryption protocol. However, because messages may be lost or dropped, the Access Point (AP) will retransmit message 3 if it did not receive an appropriate response as acknowledgment. As a result, the client may receive message 3 multiple times. Each time it receives this message, it will reinstall the same encryption key, and thereby reset the incremental transmit packet number (nonce) and receive replay counter used by the encryption protocol. We show that an attacker can force these nonce resets by collecting and replaying retransmissions of message 3 of the 4-way handshake. By forcing nonce reuse in this manner, the encryption protocol can be attacked, e.g., packets can be replayed, decrypted, and/or forged. The same technique can also be used to attack the group key, PeerKey, TDLS, and fast BSS transition handshake.”
Mathy Vanhoef also created a video demonstrating the KRACK technique’s basic operation:
Tracking KRACK Exploit via CVE identifiers
The Cert.org Vulnerability Notes Database is a database dedicated to tracking and solving vulnerabilities discovered across the web. These “Common Vulnerabilities and Exposures” (CVE) identifiers have been assigned to products that are affected by one form or another of the “Key Reinstallation Attack”:
- CVE-2017-13077: Reinstallation of the pairwise encryption key (PTK-TK) in the 4-way handshake.
- CVE-2017-13078: Reinstallation of the group key (GTK) in the 4-way handshake.
- CVE-2017-13079: Reinstallation of the integrity group key (IGTK) in the 4-way handshake.
- CVE-2017-13080: Reinstallation of the group key (GTK) in the group key handshake.
- CVE-2017-13081: Reinstallation of the integrity group key (IGTK) in the group key handshake.
- CVE-2017-13082: Accepting a retransmitted Fast BSS Transition (FT) Reassociation Request and reinstalling the pairwise encryption key (PTK-TK) while processing it.
- CVE-2017-13084: Reinstallation of the STK key in the PeerKey handshake.
- CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake.
- CVE-2017-13087: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
- CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
Every CVE identifier listed signifies a specific instance/form of a “Key Reinstallation Attack”, or KRACK. Therefore, each CVE ID outlines a specific protocol’s vulnerability to KRACK, meaning each CVE ID could include many software/hardware vendors that are affected and are not limited to just one vendor. To obtain more detailed info regarding specific products, search through the database of CERT/CC, or get in touch with your product’s manufacturer/vendor.
Public Reaction to KRACK
As soon as security specialists caught wind of KRACK, the were on it like… well, a crackhead on crack. Most major tech and security related websites, as well as news and media websites, already had one or more articles on KRACK published before the day’s end. Bleeping Computer, ars Technica, V3, The Guardian, The Verge, and Forbes were all pretty quick to get the word out about KRACK, and the general attitude from all of them was the same – the situation is dire.
However, one exception was the article posted by TechCrunch that made light of the KRACK vulnerability by saying this:
“But first, let’s clarify what an attacker can and cannot do using the KRACK vulnerability. The attacker can intercept some of the traffic between your device and your router. If traffic is encrypted properly using HTTPS, an attacker can’t look at this traffic. Attackers can’t obtain your Wi-Fi password using this vulnerability. They can just look at your unencrypted traffic if they know what they’re doing. With some devices, attackers can also perform packet injection and do some nasty things. This vulnerability is like sharing the same WiFi network in a coffee shop or airport. The attacker needs to be in range of your WiFi network. They can’t attack you from miles and miles away..”
Which is very surprising, and scary to be seen coming from TechCunch, because people living in any urban or sub-urban city setting are most likely in range of one or more of their neighbors at all times. Neighbors that could be just as unscrupulous and skilled as the hackers sitting in coffee shops and airports waiting for unsuspecting victims to use the shared Wi-Fi without taking proper precautions.
Plus, SSL has been proven to have flaws and vulnerabilities on many platforms including Android, iOS, as well as any non-browser software utilizing SSL (TLS) including many home-banking apps. And SSL vulnerabilities are not just a thing from the past affecting older versions of SSL, but as recent as the DROWN vulnerability that came to light earlier this year that also exploits TLS. Since HTTPS is based around SSL/TLS encryption, it’s foolhardy to take any solace from HTTPS encryption now that KRACK is effectively making WPA2 Wi-Fi encryption ineffective until hardware/software patches are put out for routers, access points, and operating systems.
Some sites, including TechCrunch, also warn that a VPN won’t help because you are then having to trust your VPN provider with all of your internet usage. However, I’d much rather trust a reputable VPN provider with my information than put my trust in every random person within my Wi-Fi’s range. However, a VPN that truly keeps no logs can be easily found with the help of sites like GetFastVPN. Use this VPN Comparison Table to help quickly narrow down which VPNs to research more thoroughly before committing to one.
Of course, a KRACK Wikipedia page also went up pretty fast as well. 😛