Man the harpoons: The KRACK-en reawakens in updated WPA2 attack

Belgium, home of fine chocolate, fries-with-mayo, and Wi-Fi key reinstallation attacks

The Belgian researcher who last year gave the world the KRACK attack has returned with what he says is a refined version of the vulnerability.

KRACK was first disclosed roughly 12 months ago by Mathy Vanhoef of Flanders university KU Leuven.

It was a protocol attack, meaning any implementations that followed the standard inherited the issue. An attacker could fool WPA2's four-way handshake, causing the victim to reuse nonces – of the cryptographic kind – meant for a single use.

Smart oven

WPA2 security in trouble as KRACK Belgian boffins tease key reinstallation bug

READ MORE

That sent vendors on a patching scramble, but further work on Vanhoef's part led him to suspect KRACK still works. He went public with his follow-up here, ahead of presenting a paper (PDF) to the Association of Computing Machinery's SIGSAC conference later this month.

The tl;dr version is in the abstract of the paper by Vanhoef and his co-researcher Frank Piessens:

  • We show how to attack the 4-way handshake without relying on hard-to-win race conditions, and use a method to more easily obtain the required multi-channel MiTM [man in the middle].
  • We systematically analyse all 802.11 features that negotiate or manage keys, and discover that the FILS and TPK* handshake are also vulnerable to key reinstallations.
  • We show that the updated 802.11 standard is still vulnerable to reinstallations of the group key, and present implementation flaws that affect the security of group-addressed frames.
  • We analyse security patches of vendors, and discover several implementation-specific key (re)installation vulnerabilities.

Apple's macOS and iOS operating systems both had buggy patches that have since been fixed, Vanhoef wrote.

And there's more – the 802.11v Wireless Network Management (WNM) protocol has provided a path around official patches, via deep-sleep power-saving features.

Vanhoef and Piessens believed an attacker can exploit WNM-Sleep frames to get around Wi-Fi's protocol fixes.

Vanhoef wrote: "The official defence states that a device shouldn't reinstall an already in-use key. However, this defence can by bypassed by first letting the victim install a new key, to then let it (re)install an old key."

He said the attack exploits the interaction between EAPOL-Key frames and WNM-Sleep frames, and it only allows the attacker to reinstall the group key. That made it a low-impact vulnerability.

There's a proof-of-concept key reinstallation attack script at GitHub. ®

Bootnote

* FILS, or Fast Initial Link Setup, was only signed off in June 2017 and isn't in widespread deployment yet. TPK, Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key, is a handshake designed for direct client-client connectivity, such as connecting from a TV to a tablet without going through the access point.




Biting the hand that feeds IT © 1998–2018