This week, Belgian security researcher Mathy Vanhoef released a research paper documenting his discovery of a serious weakness in the WPA2 wireless protocol, which is used to secure all modern protected Wi-Fi networks.
The exploit uses a technique called a Key Reinstallation Attack (or KRACK for short), which exploits a weakness in the way that secure wireless sessions are established between a user device and a Wi-Fi access point.
An Oversimplified Explanation of the 4-Way Handshake
Secure wireless sessions are established through a sequence called a 4-way handshake.
- The Access Point (e.g. a wireless router) sends a nonce to a client (a random integer). The Client (e.g. your laptop) generates a value called the Pairwise Transient Key, which is sent back to the Access Point as verification of the original value that the Access Point provided to the Client.
- The Client sends its own nonce to the Access Point along with a Message Integrity Code and some authentication information.
- The Access Point constructs and sends a Group Temporal Key back to the Client so that it can decrypt the traffic being transmitted to it, along with a Message Integrity Code of its own.
- The Client sends a confirmation to the Access Point that a secure session has been established.
Please see Section 2.3 of Mathy’s research paper for further information.
A Simplified Explanation of How KRACK is Implemented
The 4-Way Handshake consists of four messages being transmitted between the Client and Access point. Between Message Two and Message Three, some authentication and integrity checks happen between the Client and Access point, and a secure session is established before we reach the end of the handshake at Message 4, where the secure session is officially established.
Mathy discovered that by establishing a man-in-the-middle position (where they are able to intercept traffic between a Client and Access Point), he could prevent the Client from receiving Message 3 from the access point.
The Access Point is expecting Message 4 from the Client at this point, and is programmed to retransmit Message 3 (in case it was lost during transmission). This creates an opportunity for the attacker to manipulate the cryptographic handshake taking place as part of the protocol (through manipulation of the nonce and replay of Messages 3 and 4).
In short, by forcing nonce reuse (making something which is supposed to be random now known), the attacker can now derive the previous keystream (pseudorandom characters used to produce an encrypted message) which was used to encrypt and decrypt data, and force reuse of it again.
Mitigation and Fixing the Issue
Mathy, the researcher who discovered the issue, has said that eventually he will release his proof of concept to the wild, once the industry has had time to develop and distribute patches. Still, this vulnerability will continue to be a huge issue for years to come.
The somewhat good news is that the issue is fixable, and it appears patching will need to take place on the Client instead of at the Access Point. This is good because, though few people ever update the firmware on their routers, many of our end point devices are configured to auto update themselves. Unfortunately, there is still the huge issue of old Android devices that never get updates from the manufacturers.
A Vendor Response Matrix is being maintained here to track patching efforts:
Other Mitigating Steps:
This vulnerability results in a situation where your Wi-Fi traffic is essentially being transmitted in the clear, over the air. It does not affect other secure protocols; therefore, we recommend the following:
- Use a full tunnel VPN (e.g. all traffic, including web and e-mail transmit over VPN) that terminates to a trusted end-point (e.g. your office or home connection). Be wary of publicly available VPN solutions.
- Make sure sensitive web browsing is taking place over TLS (secure browsing sessions).
- Set up use of 5-Ghz Wi-Fi at home, if possible (shorter range but more throughput, which limits the ability of neighbors to snoop).
- Make sure you have enabled auto-updates and be on the lookout for patches for all your Wi-Fi enabled devices.
Please leave questions, comments, and corrections below. This is highly technical subject matter, so I invite any help in making my explanations more accurate or clear.