WPA2 security hole KRACKs Wi-Fi networks wide open

The United States Computer Emergency Readiness Team has issued a warning about a new attack that affects Wi-Fi networks using the commonly-used WPA2 protocol. The vulnerability is called a KRACK attack and affects the four-way handshake that occurs between an access point and a client device when the client wants to join the protected network.

Attackers can decrypt packets on WPA2 networks by forcing the re-use of a cryptographic nonce with a key already in use by manipulating and replaying cryptographic handshake messages. Should the attack succeed, it's then possible to monitor any and all otherwise unencrypted traffic going through the network. Most Wi-Fi-enabled devices and operating systems are affected by this vulnerability to some degree, including Linux, Windows, Android, and iOS, as well as most Wi-Fi routers and access points.

The attack was discovered by Mathy Vanhoef of the imec-DistriNet research group. The researcher named the attack after its method of action, a Key Reinstallation Attack. Successful attackers could potentially decrypt and inject arbitrary packets, hijack TCP connections, inject HTTP content, and replay unicast and group-addressed frames. Verhoef believes the overwhelming majority of existing WPA2 client devices are vulnerable to some version of the attack, and comments that Android 6.0 and higher and Linux devices are particularly vulnerable.

The researcher goes on to say that WPA2 implementations can be patched in a backwards-compatible manner, meaning that a patched client can communicate with an unpatched access point, and vice versa. Also, a security update on either side of the handshake communication can ensure that keys are not reused. Even so, vulnerable devices should likely not be allowed to continue operating on a network. Given the relaxed pace of software updates within the Android and wireless router manufacturing sectors, KRACK attacks could potentially be a popular attack vector for years to come. Vanhoef produced a brief demonstration video of an attack against an Android 6.0 device, shown below.

The author recommends using WPA2 with AES-CCMP as a mitigation measure, seeing as the WPA-TKIP and GCMP protocols are subject to packet forging and injection in addition to decryption. GCMP is used in WiGig and will likely increase in popularity as the 802.11ad wireless standard spreads. Visiting only SSL-secured websites or using a VPN can deliver an additional layer of protection, too.

For its part, Microsoft is already in the process of pushing out a security update to address the KRACK vulnerability on Windows clients. The Wi-Fi Alliance has likewise published an update indicating that it now requires testing for its vulnerability in its certification lab.

Vanhoef will be presenting the research behind the attack at the Computer and Communications Security Conference and the Black Hat Europe conference. A detailed research paper is available now for those interested in some dense reading. We recommend all wireless readers read US CERT's advisory and Vanhoef's KRACK web page.

Comments closed
    • kalko555
    • 2 years ago

    very useful site with all needed information: [url<]http://itblogsec.com/wpa2-encryption-can-now-hacked-new-kracks-method/[/url<]

    • DavidC1
    • 2 years ago

    Since you can’t be 100% secure,

    the methods for being reasonably secure are still the same now as a decade ago.

    -As a user change the default password, if it uses a generic one like “Login” or “Password”. Fortunately newer routers ship with a random default password
    -Don’t make it too complicated for novice users, otherwise they write it down and it makes it even worse. Key is balance
    -Don’t do anything that you’ll regret if it gets hacked*

    *As a side point I disagree with things like Connected Home, and consumer IoT where they want literally everything to be connected to the internet. Not only countless notifications on your phone will cause stress to the user, its a security nightmare. Regular $3 LED bulbs are fine. Simple baby monitors are fine. You don’t need a T-shirt with a WiFi connection. A person shouldn’t need more than 3 compute capable devices at most. A Computer, a Smartphone, maybe a Smart Watch.

    • ronch
    • 2 years ago

    Nothing is ever actually secure.

      • LostCat
      • 2 years ago

      Noone has hacked into my mind core yet, though I’m not sure why they’d want to.

    • LSDX
    • 2 years ago

    So, is WPA2 using Radius server still safe?

      • cygnus1
      • 2 years ago

      No. Radius is only authentication. The simplest version of the attack can still decrypt the traffic of a vulnerable client. If you run a VPN on top of the WPA2 protected network that can be a mitigating protection until the vulnerable client is updated. But any vulnerable client is vulnerable on any WPA2 network to which they connect.

        • LSDX
        • 2 years ago

        hey thanks for the quick reply. saves me reading tons of useless articles 🙂
        I’ll try to set up a VPN on my NAS.

    • Shinare
    • 2 years ago

    I wonder how many refrigerators, light bulbs, thermostats, washing machines, etc are going to update their firmware for this… :/

      • curtisb
      • 2 years ago

      Well to be fair, it’s not like you’re browsing the web from those type of devices. Ok, [i<]maybe[/i<] you're shopping from the fridge...

        • frenchy2k1
        • 2 years ago

        any shopping should happen on secured https anyway, so this should be a moot point.
        I feel this is rather overblown.
        It may be dangerous for companies, as this may let outsiders spy on communications and capture files or trade secrets, but for most home users using WPA2 + AES, it means squat.

        Listeners could grab about the same infos they would have if you were on a free wifi network.

        Connect to work from home? VPN => still safe
        Online shopping? https encrypted => still safe
        They can snoop on local streamed files (unprotected) or non-secure webpage access (once again, no credit card or shopping).

        Note that they cannot request anything as AES does not let them do packet injection, just snooping and decoding.

    • Yan
    • 2 years ago

    So what should a normal user do?

    In his [url=https://www.krackattacks.com/<]paper[/url<], the researcher says: "For ordinary home users, your priority should be updating clients such as laptops and smartphones." Is that all? Is it necessary to update the access point's firmware ? Good luck with that. 🙁

      • willmore
      • 2 years ago

      If you can update it do so. If you can’t, ponder replacing it with one that is known to have corrected it.

      • maxxcool
      • 2 years ago

      the attack REQUIRES both client and SERVER (router) co-operation. Windows is immune, IOS 11.3 and better is immune, Android is one update for the supplicant to be immune.

      More so this is a man in the middle .. the attacker needs access to begin with in order to issue the beacons, force a new handshake and send you off to a rouge channel to monitor and capture.

        • jihadjoe
        • 2 years ago

        AFAIK it’s client-only. It’s possible to get hacked even with a fully-patched AP if someone uses an old android phone on your network.

        Edit from the [url=https://www.krackattacks.com/#faq<]krackattacks faq[/url<]: [quote<]What if there are no security updates for my router? Our main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients. So it might be that your router does not require security updates. We strongly advise you to contact your vendor for more details. In general though, you can try to mitigate attacks against routers and access points by disabling client functionality (which is for example used in repeater modes) and disabling 802.11r (fast roaming). For ordinary home users, your priority should be updating clients such as laptops and smartphones.[/quote<] The router patches are only for when they operate in client mode. The actual problem needs to be patched on the client side.

          • adisor19
          • 2 years ago

          Client mode and when using 802.11r. Not shure why this part is often overlooked..

          Adi

      • cygnus1
      • 2 years ago

      The vulnerability is on the client side of the 4 way handshake. So only APs that are operating as clients (eg. a wireless extender/repeater) are directly vulnerable. Most are capable of that though, so should be patched.

      Any client device using wifi that is running an OS that you can’t update, needs to be thought of as transmitting in the clear. Many devices are already patched or have a patch available. The largest group of in-the-wild client devices not likely to get updates are most Android devices older than a year or two. They’re to be trusted now as much as anything running Vista or XP.

    • Beahmont
    • 2 years ago

    So I could be wrong, but it seems like the only bright spot in all of this is that at some point you have to have been in physical range of the communicating points to ‘physically’ capture the handshake between them and intercept the resulting un-encrypted wifi signal.

    That should at least reduce the attack vectors and make individual targeting somewhat harder. At least until someone figures out a way to make a bot network run the whole kit for the attack and starts a cascade hack. So you know, a day or two.

      • DPete27
      • 2 years ago

      This was my question also. Am I right in thinking that the attacker needs to be in broadcast range of the victim wifi network to complete the attack? If so, it seems this is unlikely to be a mass scale security risk as it needs to be physically initiated by individuals.

      Of course, with so many OS’es affected, it will be interesting to see how long (if at all) it will take to update all devices.

    • ludi
    • 2 years ago

    I’m noticing that the available updates seem to be only for AC devices. And Ubiquiti’s update page includes an asterisk note:

    [quote<]This primarily affects devices that support STA mode. It's worth noting that 1st gen AC devices do not support STA mode, which is why we have only released a 3.9.x firmware.[/quote<] Are older B/G/N devices not affected?

      • Beahmont
      • 2 years ago

      They are, but I think most of them are affected by the bigger problem that they are already using out dated and cracked WPA or WPA2 implementations. All up to date WPA2 implementations are vulnerable to this attack. All not up to date implementations may still be vulnerable, but also have other attacks that can be used against them. There is no “Old Tech outwits New Attack by being obsolete” here.

      This is a big F-ing deal. Almost everything wireless is affected by this one attack. And most of the stuff that’s not affected by this attack is already vulnerable to other attacks.

      • cygnus1
      • 2 years ago

      STA mode equals client mode. So what Ubiquity is saying is that only their devices that can operate in the mesh/extender/repeater modes are vulnerable and only when operating in that mode. All other clients that are vulnerable are vulnerable no matter what patch level your WAP is.

        • adisor19
        • 2 years ago

        Umm, isnt’t any device that supports 802.11r also affected ?! How can they claim that only STA supporting devices are affected ?

        Adi

          • cygnus1
          • 2 years ago

          They don’t actually support full 802.11r

          [url<]https://help.ubnt.com/hc/en-us/articles/115004662107-UniFi-Fast-Roaming[/url<]

    • christos_thski
    • 2 years ago

    Can we bypass this problem if we make our shitty router’s SSID not public?

    Good luck getting an update… Router manufacturers are worse than chinese android vendors with this stuff.

      • TwistedKestrel
      • 2 years ago

      No, hiding SSIDs does almost nothing. And actually the routers aren’t the problem, though I wish it were as it’s way easier to fix/replace a router than twenty clients

        • Bauxite
        • 2 years ago

        Apparently patching either end is good enough to prevent the attack. Granted a patched client only protects its own link while a patched router covers every client.

          • cygnus1
          • 2 years ago

          [url=https://www.krackattacks.com/#faq<]This is not accurate. A vulnerable client is vulnerable on any WPA2 network to which they connect.[/url<]

      • Buub
      • 2 years ago

      Looks like Ubiquiti already has an update for their Unifi products. Yay!

        • davidbowser
        • 2 years ago

        I cannot say enough about how happy I am with my UniFi gear. I read a review on Ars about UniFi and then maybe a few weeks later a buddy of mine told me how easy his install and config was, and that was all I needed.

        I now have wifi, wired gigabit and my FW all UniFi. I have all the devices in my house listed with “friendly names” so that I can instantly recognize new devices (they show as MAC addresses). I have both a hidden private SSID and an isolated public guest SSID. Everything works and they release software and firmware updates every month or so. It is freakin great.

          • MathMan
          • 2 years ago

          The biggest issue with UniFi is that they regressed innfeatures when they switched from Atheros to Broadcom WiFi chips: they lost the ability to seamlessly switch from one access point to tbr next.

          Furthermore, their transmit power is significantly lower than state of the art routers from Asus and Netgear.

          I ordered and installed a bunch of UniFis, but in the end, the usage experience was worse than the one with a cheap router, so I returned them.

          I’ll be switching to Eero (or equivalent) eventually.

            • davidbowser
            • 2 years ago

            Since they released updated firmware this Summer, I have not had any real roaming issues. Admittedly, it is just my house, but VOIP and video chat have been great.

            [url<]https://help.ubnt.com/hc/en-us/articles/115004662107[/url<]

            • Bauxite
            • 2 years ago

            I wouldn’t wish asus or netgear on an enemy.

            • MathMan
            • 2 years ago

            You would if a UniFi (high power version) gives you 1 bar and 1 Mbps 2 rooms away while an Asus gives you 4 and 20Mbps.

            • MOSFET
            • 2 years ago

            Exact opposite experience.

            • backwoods357
            • 2 years ago

            Yeah, I have hundreds of APs deployed businesses across the country and have never had issues like you describe. Maybe you had a defective unit or this is just a case of choice-supportive bias. Unifi APs kick ass.

            • adisor19
            • 2 years ago

            Atheros have always been known to have better quality radios over Broadcom. Sadly, since Qualcomm bought them, they’re charging an arm and a leg for them and Ubiquiti can not afford it.

            Adi

        • Bauxite
        • 2 years ago

        [url<]https://community.ubnt.com/t5/UniFi-Updates-Blog/FIRMWARE-3-9-3-7537-for-UAP-USW-has-been-released/ba-p/2099365[/url<]

        • cygnus1
        • 2 years ago

        I’m happy about that too, being a Unifi user. I’m sorry to dampen your enthusiasm though, but keep in mind that patch only applies when the equipment is used in a repeater/extender mode and the WAP is also operating as a client. Any vulnerable client is vulnerable on any WPA2 network to which they connection. All your client devices needed to be confirmed as updated.

        edit: I’m happy about that too, being a Unifi user. But I’m sorry to dampen your enthusiasm with the crap news that the fix isn’t that easy. I would have much preferred the vulnerability to be 100% fixable on the WAP side, but alas…

      • Bauxite
      • 2 years ago

      “Hiding” a SSID just tells me someone does not understand wifi security at all, which often means it is more likely they got something wrong with their setup than someone using a (recent) default isp config which [i<]was[/i<] reasonably secure if WPA2. A little bit of (incorrect) knowledge is dangerous.

        • christos_thski
        • 2 years ago

        So I read up on SSID broadcasting and it appears you’re right (this why I was asking in the first place, and not positing any sort of statement of the sort ; I’m not familiar with network security).

        But that got me wondering. Is there any legitimate reason the option to not broadcast SSID exists? Is it just a marketing gimmick or does it serve some other purpose?

          • TwistedKestrel
          • 2 years ago

          It came from the earlier days of 802.11b – it didn’t really do anything then either, just that WiFi was less widely understood and it *seemed* like a secure thing to do.

          There can be reasons to “hide” SSIDs like hiding files on your computer – they may serve some non-user facing function and you just don’t need to see them

    • Chrispy_
    • 2 years ago

    So, assume that network access from a device that’s behind schedule on updates is potentially unsafe? Nothing new there.

    OS updates to WPA2 are just one more thing to add to the list of things you need to do for safe internet use today.

      • MathMan
      • 2 years ago

      No.

      The vulnerability is a specification issue, not an implementation issue: all fully bugfree up-to-date implementations can be vulnerable.

      That said: it is possible to fix the problem while staying backward compatible.

        • Chrispy_
        • 2 years ago

        I’m not sure I understand:

        Intel have patched their drivers which will be deployed to Intel NICs via Windows update,
        iOS, Debian and OpenBSD have all been patched already.

        Sure the specification is at fault, but the OS/driver updates will just stop using the bit of the specification that is vulnerable, right?

          • MathMan
          • 2 years ago

          Yes.

          I’m just pointing out that, until today, you could have been perfectly up to date with everything and be just as vulnerable as someone who wasn’t.

          Your last sentence was right of course.

          • cygnus1
          • 2 years ago

          Not really. The 4 way handshake will still happen, it will just not happen in a vulnerable way now. So from the what’s broadcast by devices standpoint, it will all look the same as before. The difference will come in how they react to attacks of that handshake.

      • jihadjoe
      • 2 years ago

      Or just run a TLS-encrypted VPN on top of your WiFi and run all devices, including the internet gateway inside that VPN. Anyone who KRACKs into your router gets nothing but the chance to have a go at the VPN.

      Let’s face it, a LOT of clients like old Android phones are never going to get patched.

    • Krogoth
    • 2 years ago

    Wireless Ethernet and meaningful security are almost mutually exclusive terms.

      • Ryu Connor
      • 2 years ago

      /facepalm

        • ermo
        • 2 years ago

        I’m with Krogoth on this one.

          • DragonDaddyBear
          • 2 years ago

          I’m good with wireless if it has NAC.

        • Krogoth
        • 2 years ago

        Wireless Ethernet was never designed with security in mind. It is built around convenience.

        It is quite difficult to control the flow of information unless you insulate your wireless zone with Radio/Microwave shielding.

        Encryption is just a deterrent.

          • Ryu Connor
          • 2 years ago

          You babbling additional nonsense doesn’t make something true.

            • Krogoth
            • 2 years ago

            “There’s nothing to worry about! War-driving is totally a myth! Nobody is going to try snooping your packets!”

            • maxxcool
            • 2 years ago

            No, hes 100% right. Just like SMTP, TCP, UDP etc.. no security was EVER considered in the invention and design. Basic security such as pathetic encapsulation came later, And in varying degrees strength.. but at the end of the day the same standard exists with pseudo-security on top if it which is why a 4-way handshake remuneration and replay issues a encryption key with nothing but zeros in it.

            • Ryu Connor
            • 2 years ago

            The original 802.11 security standard included WEP, meaning all your comparisons are in fact not correct.

            I’d also note that your example of an all zero encryption key was the way Linux did it, not necessarily the way the standard intended it. Even the finder of the flaw details that said quirk came about in the way part of the standard was interpreted. Windows does not use an all zero key the way Linux and Android do.

            Krogoth and the rest of you quick to defend him are missing the point. You somehow have confused broken security or the fact that security came later as meaning the technology can’t be secured. Or as Krogoth states it, mutually exclusive to security.

            That is nonsense and if you’re going to live by that silly manta you might as well unplug from the Internet right now.

            It also just shows a fundamental misunderstanding of networking and the encapsulation design. Networking has always supported the fundamental capability of encrypting later in the encapsulation process.

            Also this whole line of thought means 802.3 (wired Ethernet) is a total train wreck by your terrible examples.

            All Krogoth and the rest of you have demonstrated is an inability to critically think.

            • maxxcool
            • 2 years ago

            Shrug.. glancing at 1122 and 821 show no means of secure communication or repudiation.

            • Krogoth
            • 2 years ago

            Ahem, you need to read a bit more carefully. I said “almost” mutually exclusive.

            You also need to stop focusing so much on the protocol/logical level. The medium itself is fundamentally not secured. You can easily eavesdrop microwaves/radio waves if they are not shielded within their wireless access zone, but deciphering them is a completely different matter.

            • Bauxite
            • 2 years ago

            He is correct, the 802.11 extensions came about with literally no security concepts. It has been sloppily bolted on ever since. The nicest paintjob in the world won’t make up for frame rust.

            • Ryu Connor
            • 2 years ago

            If you’re gonna try and say someone is correct with a fact, it helps if that fact is true.

            802.11 did come with security concept. WEP was part of the 802.11 standard.

            You can accuse WEP of not being robust, but you can’t accuse the 802.11 standard of having no security concepts.

      • willmore
      • 2 years ago

      Now I feel silly for backing of of WPA2-enterprise (EAP/TLS) and going back to WPA2-PSK (AES/CCM). But at least I didn’t use WPA2 compatable.

        • frenchy2k1
        • 2 years ago

        You shouldn’t.
        WPA2 enterprise suffers also from the weakness.
        Look for enterprise in the page detailing it:
        [url<]https://www.krackattacks.com/[/url<]

      • Yan
      • 2 years ago

      Wireless ethernet is so insecure that I’ve decided to use wired wi-fi.

        • smilingcrow
        • 2 years ago

        I prefer my WiFi more sober than wired as it tends to take less risks.

    • TwistedKestrel
    • 2 years ago

    [quote<]Also, a security update on either side of the handshake communication can ensure that keys are not reused.[/quote<] The summary suggests that this might not be true, that clients must be updated. Unless (I hope) I'm reading it wrong?

      • morphine
      • 2 years ago

      From the original text, “the security updates will assure a key is only installed once, preventing our attacks.”

      The text admittedly isn’t very explicit about this, but it stands to reason that if either end is updated to prevent key reuse, then the updated device will reject a “bad” key that the other side sent.

        • cygnus1
        • 2 years ago

        From what I’ve read, the attack targets the client side of the 4 way handshake. Patching WAPs only protects in the instance of repeater/extender mode being used and hence the WAP is also acting as a client. All vulnerable clients are vulnerable on any WPA2 network to which they connection.

    • davidbowser
    • 2 years ago

    Ubiquiti [url=https://community.ubnt.com/t5/UniFi-Updates-Blog/FIRMWARE-3-9-3-7537-for-UAP-USW-has-been-released/ba-p/2099365<]released updates[/url<] for UniFi devices this morning. Updates take a few minutes. Tell everyone to grab a cup of coffee.

      • CScottG
      • 2 years ago

      ..yet ANOTHER reason to go with Ubiquiti.

        • cygnus1
        • 2 years ago

        Nope. The vulnerability is in the client side of the 4 way handshake. All that Ubiquiti has patched are the repeater/extender modes of their WAPs. Now they did that quickly, but that does not secure any networks from this attack. The attack targets clients and a vulnerable client is vulnerable on any network they connect to, no matter the patch level of the WAP.

        Edit: that probably came off harsh. I’m happy about their update too, being a Unifi user but I’m sorry to dampen your enthusiasm with the crap news. I would have much preferred if the vulnerability was 100% fixable on the WAP side.

          • davidbowser
          • 2 years ago

          The Krack fix is going to take a while to clean up because of all the client patching required, so I tend to look at things 2 ways: admin and consumer.

          Admin: Patch the WAPs now and patch client devices ASAP. Encourage end users to get client device updates for their personal devices, and just hope and pray that IT device inventory records are clean and up to date.

          Consumer: Patch your own devices ASAP. I am betting linux distros, Apple, Microsoft and Google have patches within a week since I have seen this story on every major tech news outlet, and even some non-tech sites.

          • CScottG
          • 2 years ago

          I looked this over.. But there is a distinguishing comment from the KRACK attack team:

          “Our attack is not limited to recovering login credentials (i.e. e-mail addresses and passwords). In general, any data or information that the victim transmits can be decrypted.

          Additionally, DEPENDING ON the device being used and THE NETWORK SETUP, IT IS ALSO POSSIBLE TO DECRYPT DATA SENT TOWARDS THE VICTIM (e.g. the content of a website).

            • cygnus1
            • 2 years ago

            I think they’re referring to the case of attacking a WAP that’s in a mesh or extender configuration. If the WAP’s upstream wireless connection is able to be successfully attacked, you could decrypt any data going to/from all the downstream clients connected to the WAP..

    • chuckula
    • 2 years ago

    [url=https://techreport.com/forums/viewtopic.php?f=14&t=120186&view=unread#unread<]Great minds think alike[/url<]

      • tanker27
      • 2 years ago

      You should get Byline creds for posting it first. 😛

      EDIT: Actually Notfred best you to it. [url=https://techreport.com/forums/viewtopic.php?f=14&t=120185&view=unread#unread<]Link[/url<]

        • cynan
        • 2 years ago

        Great minds also know that cognitive processing speed is only one domain of IQ.

Pin It on Pinterest

Share This