KRACK

Last updated
KRACK
KRACK-logo-small.png
KRACK attack logo
CVE identifier(s) CVE- 2017-13077,

CVE- 2017-13078,
CVE- 2017-13079,
CVE- 2017-13080,
CVE- 2017-13081,
CVE- 2017-13082,
CVE- 2017-13084,
CVE- 2017-13086,
CVE- 2017-13087,

CVE-

Contents

2017-13088
Date discovered2016;6 years ago (2016)
DiscovererMathy Vanhoef and Frank Piessens
Affected hardwareAll devices that use Wi-Fi Protected Access (WPA)
Affected softwareAll operating systems that use WPA

KRACK ("Key Reinstallation Attack") is a replay attack (a type of exploitable flaw) on the Wi-Fi Protected Access protocol that secures Wi-Fi connections. It was discovered in 2016 [1] by the Belgian researchers Mathy Vanhoef and Frank Piessens of the University of Leuven. [2] Vanhoef's research group published details of the attack in October 2017. [3] By repeatedly resetting the nonce transmitted in the third step of the WPA2 handshake, an attacker can gradually match encrypted packets seen before and learn the full keychain used to encrypt the traffic.

The weakness is exhibited in the Wi-Fi standard itself, and not due to errors in the implementation of a sound standard by individual products or implementations. Therefore, any correct implementation of WPA2 is likely to be vulnerable. [4] The vulnerability affects all major software platforms, including Microsoft Windows, macOS, iOS, Android, Linux, OpenBSD and others. [3]

The widely used open-source implementation wpa_supplicant, utilized by Linux and Android, was especially susceptible as it can be manipulated to install an all-zeros encryption key, effectively nullifying WPA2 protection in a man-in-the-middle attack. [5] [6] Version 2.7 fixed this vulnerability. [7]

The security protocol protecting many Wi-Fi devices can essentially be bypassed, potentially allowing an attacker to intercept [8] sent and received data.

Details

The attack targets the four-way handshake used to establish a nonce (a kind of "shared secret") in the WPA2 protocol. The standard for WPA2 anticipates occasional Wi-Fi disconnections, and allows reconnection using the same value for the third handshake (for quick reconnection and continuity). Because the standard does not require a different key to be used in this type of reconnection, which could be needed at any time, a replay attack is possible.

An attacker can repeatedly re-send the third handshake of another device's communication to manipulate or reset the WPA2 encryption key. [9] Each reset causes data to be encrypted using the same values, so blocks with the same content can be seen and matched, working backwards to identify parts of the keychain which were used to encrypt that block of data. Repeated resets gradually expose more of the keychain until eventually the whole key is known, and the attacker can read the target's entire traffic on that connection.

According to US-CERT:

"US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol. The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others. Note that as protocol-level issues, most or all correct implementations of the standard will be affected. The CERT/CC and the reporting researcher KU Leuven, will be publicly disclosing these vulnerabilities on 16 October 2017." [10]

The paper describing the vulnerability is available online, [11] and was formally presented at the ACM Conference on Computer and Communications Security on 1 November 2017. [5] US-CERT is tracking this vulnerability, listed as VU#228519, across multiple platforms. [12] The following CVE identifiers relate to the KRACK vulnerability: CVE - 2017-13077 ,CVE- 2017-13078 ,CVE- 2017-13079 ,CVE- 2017-13080 ,CVE- 2017-13081 ,CVE- 2017-13082 ,CVE- 2017-13084 ,CVE- 2017-13086 ,CVE- 2017-13087 and CVE - 2017-13088. [5]

Some WPA2 users may counter the attack by updating Wi-Fi client and access point device software, if they have devices for which vendor patches are available. [13] However, vendors may delay in offering a patch, or not provide patches at all in the case of many older devices. [13] [1]

Patches

Patches are available for different devices to protect against KRACK, starting at these versions:

SystemVersionPatched
Android Android 5.0 and laterAndroid 2017-11-06 security patch level [14]
ChromeOS AllStable channel 62.0.3202.74 [15]
iOS iOS 11 iOS 11.1 for iPhone 7, iPad Pro 9.7 inch, and later devices; [16] iOS 11.2 for all other supported devices [17]
LineageOS 14.1 (Android 7.1) and later14.1-20171016 [18]
macOS High Sierra 10.13macOS 10.13.1 [19]
macOS Sierra 10.12Security Update 2017-001 Sierra [19]
OS X El Capitan 10.11Security Update 2017-004 El Capitan [19]
tvOS 11tvOS 11.1 [20]
watchOS 4watchOS 4.1 [21]
Windows 7 KB4041681 or KB4041678 [22]
Windows 8.1 KB4041693 or KB4041687 [22]
Windows 10 KB4042895 (initial version)
KB4041689 (version 1511)
KB4041691 (version 1607)
KB4041676 (version 1703)
Windows 10 version 1709 and later have the patch included in its release [22]
Windows Server 2008 KB4042723 [22]
Windows Server 2012 KB4041690 or KB4041679 [22]
Windows Server 2016 KB4041691 [22]
Ubuntu Linux 14.04 LTS, 16.04 LTS, 17.04Updates as of October 2017 [23]

Workarounds

In order to mitigate risk on vulnerable clients, some WPA2-enabled Wi-Fi access points have configuration options that can disable EAPOL-Key[ clarification needed ] frame re-transmission during key installation. Attackers cannot cause re-transmissions with a delayed frame transmission, thereby denying them access to the network, provided TDLS is not enabled. [24] One disadvantage of this method is that, with poor connectivity, key reinstallation failure may cause failure of the Wi-Fi link.

Continued vulnerability

In October 2018, reports emerged that the KRACK vulnerability was still exploitable in spite of vendor patches, through a variety of workarounds for the techniques used by vendors to close off the original attack. [25]

See also

Related Research Articles

<span class="mw-page-title-main">Wi-Fi</span> Wireless local area network

Wi-Fi is a family of wireless network protocols, based on the IEEE 802.11 family of standards, which are commonly used for local area networking of devices and Internet access, allowing nearby digital devices to exchange data by radio waves. These are the most widely used computer networks in the world, used globally in home and small office networks to link desktop and laptop computers, tablet computers, smartphones, smart TVs, printers, and smart speakers together and to a wireless router to connect them to the Internet, and in wireless access points in public places like coffee shops, hotels, libraries and airports to provide visitors with Internet access for their mobile devices.

Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securing HTTPS remains the most publicly visible.

Wired Equivalent Privacy (WEP) was a security algorithm for 802.11 wireless networks. Introduced as part of the original IEEE 802.11 standard ratified in 1997, its intention was to provide data confidentiality comparable to that of a traditional wired network. WEP, recognizable by its key of 10 or 26 hexadecimal digits, was at one time widely used, and was often the first security choice presented to users by router configuration tools.

Wi-Fi Protected Access (WPA), Wi-Fi Protected Access II (WPA2), and Wi-Fi Protected Access 3 (WPA3) are the three security and security certification programs developed after 2000 by the Wi-Fi Alliance to secure wireless computer networks. The Alliance defined these in response to serious weaknesses researchers had found in the previous system, Wired Equivalent Privacy (WEP).

IEEE 802.11i-2004, or 802.11i for short, is an amendment to the original IEEE 802.11, implemented as Wi-Fi Protected Access II (WPA2). The draft standard was ratified on 24 June 2004. This standard specifies security mechanisms for wireless networks, replacing the short Authentication and privacy clause of the original standard with a detailed Security clause. In the process, the amendment deprecated broken Wired Equivalent Privacy (WEP), while it was later incorporated into the published IEEE 802.11-2007 standard.

IEEE 802.11r-2008 or fast BSS transition (FT), is an amendment to the IEEE 802.11 standard to permit continuous connectivity aboard wireless devices in motion, with fast and secure client transitions from one Basic Service Set to another performed in a nearly seamless manner. It was published on July 15, 2008. IEEE 802.11r-2008 was rolled up into 802.11-2012. The terms handoff and roaming are often used, although 802.11 transition is not a true handoff/roaming process in the cellular sense, where the process is coordinated by the base station and is generally uninterrupted.

Extensible Authentication Protocol (EAP) is an authentication framework frequently used in network and internet connections. It is defined in RFC 3748, which made RFC 2284 obsolete, and is updated by RFC 5247. EAP is an authentication framework for providing the transport and usage of material and parameters generated by EAP methods. There are many methods defined by RFCs, and a number of vendor-specific methods and new proposals exist. EAP is not a wire protocol; instead it only defines the information from the interface and the formats. Each protocol that uses EAP defines a way to encapsulate by the user EAP messages within that protocol's messages.

<span class="mw-page-title-main">Wireless security</span> Aspect of wireless networks

Wireless security is the prevention of unauthorized access or damage to computers or data using wireless networks, which include Wi-Fi networks. The term may also refer to the protection of the wireless network itself from adversaries seeking to damage the confidentiality, integrity, or availability of the network. The most common type is Wi-Fi security, which includes Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA). WEP is an old IEEE 802.11 standard from 1997. It is a notoriously weak security standard: the password it uses can often be cracked in a few minutes with a basic laptop computer and widely available software tools. WEP was superseded in 2003 by WPA, a quick alternative at the time to improve security over WEP. The current standard is WPA2; some hardware cannot support WPA2 without firmware upgrade or replacement. WPA2 uses an encryption device that encrypts the network with a 256-bit key; the longer key length improves security over WEP. Enterprises often enforce security using a certificate-based system to authenticate the connecting device, following the standard 802.11X.

wpa_supplicant Open-source implementation of IEEE 802.11i

wpa_supplicant is a free software implementation of an IEEE 802.11i supplicant for Linux, FreeBSD, NetBSD, QNX, AROS, Microsoft Windows, Solaris, OS/2 and Haiku. In addition to being a WPA3 and WPA2 supplicant, it also implements WPA and older wireless LAN security protocols.

<span class="mw-page-title-main">Wi-Fi Protected Setup</span> Network security standard to create a secure wireless home network

Wi-Fi Protected Setup is a network security standard to create a secure wireless home network.

<span class="mw-page-title-main">Pwnie Awards</span> Information security awards

The Pwnie Awards recognize both excellence and incompetence in the field of information security. Winners are selected by a committee of security industry professionals from nominations collected from the information security community. Nominees are announced yearly at Summercon, and the awards themselves are presented at the Black Hat Security Conference.

<span class="mw-page-title-main">Mobile security</span> Security risk and prevention for mobile devices

Mobile security, or mobile device security, is the protection of smartphones, tablets, and laptops from threats associated with wireless computing. It has become increasingly important in mobile computing. The security of personal and business information now stored on smartphones is of particular concern.

<span class="mw-page-title-main">AirDrop</span> Proprietary file sharing between Apple devices

AirDrop is a proprietary wireless ad hoc service in Apple Inc.'s iOS and macOS operating systems, introduced in Mac OS X Lion and iOS 7, which can transfer files among supported Macintosh computers and iOS devices by means of close-range wireless communication. This communication takes place over Apple Wireless Direct Link 'Action Frames' and 'Data Frames' using generated link-local IPv6 addresses instead of the Wi-Fi chip's fixed MAC address.

FREAK is a security exploit of a cryptographic weakness in the SSL/TLS protocols introduced decades earlier for compliance with U.S. cryptography export regulations. These involved limiting exportable software to use only public key pairs with RSA moduli of 512 bits or less, with the intention of allowing them to be broken easily by the National Security Agency (NSA), but not by other organizations with lesser computing resources. However, by the early 2010s, increases in computing power meant that they could be broken by anyone with access to relatively modest computing resources using the well-known Number Field Sieve algorithm, using as little as $100 of cloud computing services. Combined with the ability of a man-in-the-middle attack to manipulate the initial cipher suite negotiation between the endpoints in the connection and the fact that the Finished hash only depended on the master secret, this meant that a man-in-the-middle attack with only a modest amount of computation could break the security of any website that allowed the use of 512-bit export-grade keys. While the exploit was only discovered in 2015, its underlying vulnerabilities had been present for many years, dating back to the 1990s.

<span class="mw-page-title-main">Stagefright (bug)</span> Software bug in Android

Stagefright is the name given to a group of software bugs that affect versions from 2.2 "Froyo" up until 5.1.1 "Lollipop" of the Android operating system exposing an estimated 950 million devices at the time. The name is taken from the affected library, which among other things, is used to unpack MMS messages. Exploitation of the bug allows an attacker to perform arbitrary operations on the victim's device through remote code execution and privilege escalation. Security researchers demonstrate the bugs with a proof of concept that sends specially crafted MMS messages to the victim device and in most cases requires no end-user actions upon message reception to succeed—the user doesn't have to do anything to 'accept' exploits using the bug; it happens in the background. A phone number is the only information needed to carry out the attack.

<span class="mw-page-title-main">Meltdown (security vulnerability)</span> Microprocessor security vulnerability

Meltdown is one of the two original transient execution CPU vulnerabilities. Meltdown affects Intel x86 microprocessors, IBM POWER processors, and some ARM-based microprocessors. It allows a rogue process to read all memory, even when it is not authorized to do so.

BlueBorne is a type of security vulnerability with Bluetooth implementations in Android, iOS, Linux and Windows. It affects many electronic devices such as laptops, smart cars, smartphones and wearable gadgets. One example is CVE-2017-14315. The vulnerabilities were first reported by Armis, an IoT security firm, on 12 September 2017. According to Armis, "The BlueBorne attack vector can potentially affect all devices with Bluetooth capabilities, estimated at over 8.2 billion devices today [2017]"

In cryptography, Simultaneous Authentication of Equals (SAE) is a password-based authentication and password-authenticated key agreement method.

Kr00k is a security vulnerability that allows some WPA2 encrypted WiFi traffic to be decrypted. The vulnerability was originally discovered by security company ESET in 2019 and assigned CVE-2019-15126 on August 17, 2019. ESET estimates that this vulnerability affects over a billion devices.

FragAttacks, or fragmentation and aggregation attacks, are a group of Wi-Fi vulnerabilities discovered by security research Mathy Vanhoef. Since the vulnerabilities are design flaws in the Wi-Fi standard, any device released after 1997 could be vulnerable. The attack can be executed without special privileges. The attack was detailed on August 5, 2021 at Black Hat Briefings USA and at later at the USENIX 30th Security Symposium, where recordings are shared publicly. The attack does not leave any trace in the network logs.

References

  1. 1 2 Cimpanu, Catalin (16 October 2017). "New KRACK Attack Breaks WPA2 WiFi Protocol". Bleeping Computer. Retrieved 2017-10-16.
  2. Gallagher, Sean (2017-10-16). "How the KRACK attack destroys nearly all Wi-Fi security". Ars Technica . Retrieved 2017-10-16.
  3. 1 2 Hern, Alex (2017-10-16). "'All Wifi Networks' Are Vulnerable to Hacking, Security Expert Discovers". The Guardian . ISSN   0261-3077 . Retrieved 2017-10-16.
  4. Vanhoef, Mathy (2017). "Key Reinstallation Attacks".
  5. 1 2 3 Goodin, Dan (2017-10-16). "Severe flaw in WPA2 protocol leaves Wi-Fi traffic open to eavesdropping". Ars Technica . Retrieved 2017-10-16.
  6. "41 percent of Android phones are vulnerable to 'devastating' Wi-Fi attack". The Verge . Retrieved 2017-10-16.
  7. https://w1.fi/cgit/hostap/plain/wpa_supplicant/ChangeLog [ bare URL plain text file ]
  8. "What the KRACK Wi-Fi vulnerability means for you and your devices". Oct 16, 2017. Archived from the original on October 16, 2017.
  9. "Wi-Fi Security Flaw: Billions of devices are affected by Eavesdropping Attacks". LookGadgets . Retrieved 2020-02-27.
  10. Merriman, Chris (2017-10-16). "World WiFi at Risk from KRACK". V3. Retrieved 2017-10-16.
  11. Vanhoef, Mathy; Piessens, Frank (2017). "Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2" (PDF). Retrieved 2017-10-16.
  12. "Vendor Information for VU#228519". www.kb.cert.org. Retrieved 2017-10-16.
  13. 1 2 Wagenseil, Paul (16 October 2017). "KRACK Attack Threatens All Wi-Fi Networks: What to Do". Tom's Guide. Retrieved 17 October 2017.
  14. "Android Security Bulletin – November 2017". android.com. Retrieved 2017-11-07.
  15. "Stable Channel Update for Chrome OS". chromereleases.googleblog.com. Retrieved 2017-11-07.
  16. "About the security content of iOS 11.1 – Apple Support". support.apple.com. Retrieved 2017-11-01.
  17. "About the security content of iOS 11.2 – Apple Support". support.apple.com. Retrieved 2017-12-07.
  18. The LineageOS Project (16 October 2017). "All official 14.1 builds built after this tweet have been patched for KRACK". Twitter . Retrieved 15 December 2018.
  19. 1 2 3 "About the security content of macOS High Sierra 10.13.1, Security Update 2017-001 Sierra, and Security Update 2017-004 El Capitan – Apple Support". support.apple.com. Retrieved 2017-11-01.
  20. "About the security content of tvOS 11.1". Apple Support. Retrieved 2017-11-07.
  21. "About the security content of watchOS 4.1". Apple Support. Retrieved 2017-11-07.
  22. 1 2 3 4 5 6 "CVE-2017-13080 Windows Wireless WPA Group Key Reinstallation Vulnerability". microsoft.com. Retrieved 2017-11-01.
  23. "Has Ubuntu been patched against the KRACK attack?" . Retrieved 2019-04-17.
  24. "OpenWrt Project: docs:user-guide:wifi_configuration". openwrt.org.
  25. Chirgwin, Richard (5 October 2018). "Man the harpoons: The KRACK-en reawakens in updated WPA2 attack". The Register. Retrieved 2018-10-05.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.