This is something I covered last year, but I wanted to go more in-depth in this topic now that there is more information on it.
Our Wi-Fi wireless networks are currently protected by a security encryption protocol called “Wi-Fi Protected Access 2 (WPA2).” In the previous decades before, our wireless networks depended on a legacy security protocol called “Wired Equivalent Privacy (WEP).” It was branded this name because it was supposed to give our wireless networks the same level of protection as our wired networks; however, as early as 2001, researchers were already demonstrating how WEP could be easily cracked. By 2004, both WEP-40 and WEP-104 were deprecated by the IEEE.
Fortunately, the IEEE had developed an immediate and temporary solution to take WEP’s place until a complete solution was completed. This temporary solution was “Wi-Fi Protected Access (WPA).” It was the incomplete version of WPA2, but it was a suitable alternative over WEP until WPA2 became available in 2004. Instead of using TKIP with AES, WPA2 offers the use of CCMP with AES, making it a much more secure alternative to WPA. By 2006, all new devices that bear the Wi-Fi trademark were required to have a WPA2 certification because it was the best form of security we currently have…until October 2017.
Mathy Vanhoef of imec-DistriNet, KU Leuven, and his partners, have recently discovered how to crack WPA2, the protocol that secures all our wireless networks. They call it “Key Re-installation Attacks,” or “KRACK attacks,” for short. Although this wasn’t the first weakness discovered in WPA2, it is by far the most serious. WPA2 has always been vulnerable to dictionary/brute force attacking, but this is assuming the password is very weak. The KRACK attack, on the other hand, does not rely on password guessing and it works against all modern Wi-Fi wireless networks. All Wi-Fi supported devices, including Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others, are all affected by some variant of the attack.
The KRACK attack has 10 CVE identifiers, which you can see here.
- CVE-2017-13077: Reinstallation of the pairwise encryption key (PTK-TK) in the 4-way handshake.
- CVE-2017-13078: Reinstallation of the group key (GTK) in the 4-way handshake.
- CVE-2017-13079: Reinstallation of the integrity group key (IGTK) in the 4-way handshake.
- CVE-2017-13080: Reinstallation of the group key (GTK) in the group key handshake.
- CVE-2017-13081: Reinstallation of the integrity group key (IGTK) in the group key handshake.
- CVE-2017-13082: Accepting a retransmitted Fast BSS Transition (FT) Reassociation Request and reinstalling the pairwise encryption key (PTK-TK) while processing it.
- CVE-2017-13084: Reinstallation of the STK key in the PeerKey handshake.
- CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake.
- CVE-2017-13087: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
- CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
The WPA 4-Way Handshake
The researchers did release a proof-of-concept (POC) demonstration video that you can watch here. But, to really understand how the KRACK attacks work, it’s essential to understand the WPA 4-Way handshake. Why? Because in order for this attack to work, the attacker captures part of the handshake message and uses modified versions of it to trick devices into installing a blank or already-in-use encryption key. This is where the “Key Re-installation Attack” gets its name.
In order to crack a WPA2 network, the attacker must capture the WPA 4-way handshake between the client (Supplicant) and the AP (Authenticator). The “PSK” in WPA2-PSK stands for “Pre-Shared Key.” Both the client and the AP know the PSK, or “Pairwise Master Key (PMK),” but they need to prove to each other that they know the key without disclosing it over the air. This would be the Wi-Fi password for WPA2-PSK or the key from the EAP process for WPA-Enterprise. This technical feat is accomplished by creating a Pairwise Transient Key (PTK) and using it to exchange encrypted/decrpyted messages to each other. The process takes 4 steps.
In Step 1, the AP sends an ANonce to the Supplicant. A “nonce” is a value that can only be used once and it will be used to create the Pairwise Transient Key (PTK). The “A” stands for “Authenticator.” The ANonce is also sent with a Key Replay Counter to help discard replayed messages.
In Step 2, the Supplicant constructs the PTK. In order to create the PTK, the supplicant uses its own SNonce (Supplicant nonce), the PMK, the ANonce from Step 1, it’s own MAC address, and the Authenticator’s MAC address (which it already knows since it’s being broadcasted via beaconing).
Therefore, PTK = PMK + ANonce + SNonce + Supplicant MAC address + Authenticator MAC address. This information is put through a psuedo-random function to create the PTK.
The Authenticator also needs the SNonce used by the Supplicant; therefore, it sends the SNonce in plaintext and uses HMAC-SHA1 as an authenticity check or Message Integrity Code (MIC). It also sends the Key Replay Counter back to the Authenticator.
In Step 3, the Authenticator acknowledges and verifies the message received from the Supplicant during Step 2 by checking the MIC. It then uses the SNonce and the other required parameters it already knows to create the same PTK. It notifies the Supplicant that the PTK is installed, creates a Groupwise Temporal Key (GTK), and sends it over to the Supplicant with another MIC. The GTK is used for broadcast and multicast frames on the network. All clients use this same GTK.
In Step 4, the Supplicant acknowledges and verifies the message received from the Authenticator in Step 3 by checking the MIC. It acknowledges that the PTK and GTK were installed, and from then on, encrypted unicast and broad/multicast traffic can commence. The PTK and GTK will be divided into separate keys depending on which encryption protocols are being used.
Summary of the WPA 4-Way Handshake
To summarize, the client and the AP have to prove they both know the PMK without ever passing it through the air. This is done by exchanging cryptographic keys in a cleverly designed process. The PTK is never actually passed between the client and the AP. Instead, it is derived from information that the client and the AP share. Every time a client associates with an AP, new keys are created. This makes every session completely unique from the next. The WPA 4-Way handshake is not encrypted until after step 4 is completed.
This does not prevent attackers from eavesdropping because it is very common to capture the WPA 4-Way handshake and analyze it in a .pcap file. However, because the PTK and the PMK are never transmitted, attackers have to take extra steps to make any use of it. For example, an attacker can generate his own key and use the ANonce, SNonce, MAC addresses, and MIC from any WPA handshake capture to verify if it matches. Thus, a brute force or dictionary attack is possible if the Wi-Fi password is weak.
How the KRACK Attack Works
In a KRACK attack, the researchers trick a test victim into reinstalling an already-in-use key. This is because in the WPA2 design, it’s possible that a packet can be lost during the WPA handshake and rebroadcasted. The KRACK attack takes advantage of this rebroadcast in Step 3 where the PTK and GTK are negotiated. If the AP does not receive an acknowledgement from the client after Step 3, the AP will rebroadcast the key and the client will be expected to reinstall the keys, which is the PTK and the GTK. This will reset the nonce and key replay counter, which means the client reuses nonces (that’s not good).
The researchers run Wireshark to capture network traffic and run an unspecified attack script to target the network. This attack creates a rogue AP of the target network, but on a different channel, which is the same thing as an Evil Twin attack. The MAC address of the target AP and the Evil Twin are the same. Disassociation or deauthentication frames are then transmitted onto the target network, which disassociates any legitimate clients on the target network.
By enabling IP forwarding, DHCP, and DNS settings on the Evil Twin, the attacker can ensure that the victim will have Internet access once it associates to their rogue AP. The sslstrip tool is also used in this attack, which is used to remove any HTTPS protection and downgrade secure web connections to HTTP.
Once the deauth frames are sent to the target network, the victim will attempt to associate with the Evil Twin by attempting a 4-way handshake since the SSIDs and MAC addresses are identical. At this point, the key re-installation attack (KRACK) begins when this channel-based MitM is created. It’s unclear how the attack is performed, but the researchers somehow block the client’s message 4 from arriving to the Evil Twin. The client then receives multiple messages that the AP did not receive an appropriate response as an acknowledgment after Step 3 in the WPA handshake. Each time the client receives this message, it will reinstall the already-in-use PTK and GTK, and thereby reset the nonce and key replay counter.
By collecting and replaying Step 3 in the WPA handshake, nonce resets can be forced, which allows packets to be forged and decrypted. As we saw with WEP, the same key should never be used twice. Since the WEP IVs were short, it guaranteed that the same IV would be reused eventually. Therefore, by reusing nonces in WPA2, we violate one of the cardinal rules of never reusing keys.
This same 4-way handshake KRACK attack can also be performed against the Group Key, PeerKey, TDLS, and Fast BSS transition handshake.
What Can Hackers Do Using KRACK Attacks?
With the KRACK attack, a channel-based man-in-the-middle (MitM) position is forced, which sets the attacker up for even nastier attack options. It can also be assumed that all packets can be decrypted. This means sensitive information (e.g. usernames/passwords, credit card information, etc.) and cookies can be stolen, session-hijacking can be performed, and packets can be injected or forged. Thus, confidentiality and integrity of data is compromised.
Practicality of KRACK Attacks
All wireless networks that use WPA2 with TKIP or GCMP are vulnerable to KRACK attacks, more so than wireless networks that use AES with CCMP. The direction in which packets can be decrypted and forged also depends on the handshake being attacked, such as 4-way, Group Key, PeerKey, TDLS, and the Fast BSS transition handshake.
In addition, there are complications that arise for Windows and iOS clients because they do not accept retransmissions of message 3, which violates the rules of the WPA2 protocol. However, they are still vulnerable to other forms of KRACK attacks that target the Group Key. Another issue is that certain implementations only accept frames protected using the data-confidentiality protocol once a PTK has been installed; however, the researchers have somehow figured out their own way to bypass this technical issue.
Many Android and Linux devices are extremely vulnerable to KRACK attacks because instead of reinstalling the encryption key after the retransmission of message 3, the client will install an all-zero encryption key instead of reinstalling the already-in-use key. The researchers believe that this is an inherit vulnerability in WPA2 that suggests to clear the encryption key from memory once it has been installed for the first time during the WPA handshake.
How to Protect Yourself
Changing your Wi-Fi password will not protect your from KRACK attacks as KRACK attacks actually never recover the Wi-Fi password anyway. Changing your Wi-Fi password to something stronger is still recommended though because it prevents brute force and dictionary attacks.
You can, however, update your client devices and routers. Router vendors have already released patches that can help prevent KRACK attacks. Home routers may not even need to be updated as KRACK attacks mainly affect enterprise network routers.
Can We Learn How to Perform KRACK Attacks?
Eventually. The script that was used in the researchers’ POC demonstration will not be released until everyone has had ample time to update their devices.
Mtroi. (2014). 4-Way Handshake. Retrieved from https://wlan1nde.wordpress.com/2014/10/27/4-way-handshake/comment-page-1/
Sanders, J. (2017). KRACK WPA2 protocol Wi-Fi attack: How it works and who’s at risk. CBS Interactive. Retrieved from https://www.techrepublic.com/article/krack-wpa2-protocol-wi-fi-attack-how-it-works-and-whos-at-risk/
Vanhoef, M. (2017). Key Reinstallation Attacks Breaking WPA2 by forcing nonce reuse. Retrieved from https://www.krackattacks.com/#changepw
Vanhoef, M. & Piessens, F. (2017). Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2. Retrieved from https://papers.mathyvanhoef.com/ccs2017.pdf
[…] perhaps the most foreboding vulnerability of WPA2 were the recent discover of Key Reinstallation AttaCKs (KRACK), a type of wireless exploit discovered by Mathy Vanhoef that decrypts Wi-Fi traffic. This […]
[…] variant of the attack. The KRACK attack has 10 CVE identifiers, which you can see here. I covered KRACK attacks in an earlier post back in […]