The United States Computer Emergency Readiness Team has issued a warning about a new attack that affects Wi-Fi networks using the commonly-used WPA2 protocol. The vulnerability is called a KRACK attack and affects the four-way handshake that occurs between an access point and a client device when the client wants to join the protected network.
Attackers can decrypt packets on WPA2 networks by forcing the re-use of a cryptographic nonce with a key already in use by manipulating and replaying cryptographic handshake messages. Should the attack succeed, it's then possible to monitor any and all otherwise unencrypted traffic going through the network. Most Wi-Fi-enabled devices and operating systems are affected by this vulnerability to some degree, including Linux, Windows, Android, and iOS, as well as most Wi-Fi routers and access points.
The attack was discovered by Mathy Vanhoef of the imec-DistriNet research group. The researcher named the attack after its method of action, a Key Reinstallation Attack. Successful attackers could potentially decrypt and inject arbitrary packets, hijack TCP connections, inject HTTP content, and replay unicast and group-addressed frames. Verhoef believes the overwhelming majority of existing WPA2 client devices are vulnerable to some version of the attack, and comments that Android 6.0 and higher and Linux devices are particularly vulnerable.
The researcher goes on to say that WPA2 implementations can be patched in a backwards-compatible manner, meaning that a patched client can communicate with an unpatched access point, and vice versa. Also, a security update on either side of the handshake communication can ensure that keys are not reused. Even so, vulnerable devices should likely not be allowed to continue operating on a network. Given the relaxed pace of software updates within the Android and wireless router manufacturing sectors, KRACK attacks could potentially be a popular attack vector for years to come. Vanhoef produced a brief demonstration video of an attack against an Android 6.0 device, shown below.
The author recommends using WPA2 with AES-CCMP as a mitigation measure, seeing as the WPA-TKIP and GCMP protocols are subject to packet forging and injection in addition to decryption. GCMP is used in WiGig and will likely increase in popularity as the 802.11ad wireless standard spreads. Visiting only SSL-secured websites or using a VPN can deliver an additional layer of protection, too.
For its part, Microsoft is already in the process of pushing out a security update to address the KRACK vulnerability on Windows clients. The Wi-Fi Alliance has likewise published an update indicating that it now requires testing for its vulnerability in its certification lab.
Vanhoef will be presenting the research behind the attack at the Computer and Communications Security Conference and the Black Hat Europe conference. A detailed research paper is available now for those interested in some dense reading. We recommend all wireless readers read US CERT's advisory and Vanhoef's KRACK web page.